Understanding

GDPR:
Fundamentals

Anand Krishnan
Senior Analyst-Policy
CIPP/E,CIPM, DCPP
Introduction

Regulation (EU) 2016/679 of the European parliament and of the council of 2

7 April 2016 on the protection of natural persons with regard to the processing of
personal data and on the free movement of such data.

The EU General Data Protection Regulation (GDPR) replaces the Data Protecti
on Directive 95/46/EC and was designed to harmonize data privacy laws a
cross Europe, to protect and empower all EU citizens data privacy and to
reshape the way organizations across the region approach data privacy.

Enforcement date: 25 May 2018 - at which time those organizations in non

-compliance will face heavy fines.
Fundamentals

1. Scope of application of the GDPR.

2. Controller and Processor.

3. Legal grounds for the processing of personal data.

4. Sensitive data.

5. DPIA, DPO, privacy by design and by default.

6. Individual’s rights.

7. Security and data breach notifications.

8. Processing by third parties.

9. Cross-border data transfer restrictions.

Scope of Application
GDPR applies to EU companies:
-Controllers and processors established
in the EU.
-Establishment implies the effective and
real exercise of activity through stable
arrangements, regardless of its legal
form(e.g. Branch, Subsidiary, etc).
GDPR applies to non-EU companies:
-Controller and processors not
established in the EU but “targeting” EU
individuals by:
• Offering of good/services to
individuals in the EU, even free of
charge.
• Monitoring the behaviour of
individuals located in the EU
Scope of Application

GDPR applies to personal data:

-Any information relating to an identified or identifiable individual.
-Any information that can be “linked back” to an individual by anyone and by any
means “reasonably likely to be used”.
-Information qualifies as personal data as soon as an individual can be singled out
-Online identifiers (e.g., IP address, unique device ID, cookie identifiers) and
location data are explicitly included in the definition of personal data.
-Pseudonymized data (i.e., data that cannot be attributed to an individual without
the use of additional information) is personal data.

GDPR doesn’t apply to anonymised data:

-Anonymised data are not personal data, but the threshold for anonymisation is
very high in the EU.
-De-identified data are unlikely to be anonymous data.
Controller and Processor

Data Controller Data Processor

The entity that, alone or jointly with The entity that processes personal data:
others, determines:

-Purposes for data processing (“Why”) -On behalf of the controller

-Means of data processing (“How”) -Under the instructions of the controller

Joint controller v. Separate Controller Sub-Processor

Controller and Processor

 Joint controller v. Separate Controller

-In the case of joint control, several parties jointly determine the p
urposes and means of one or more processing activities.

-The distinction between “joint” and “separate” control may be difficult to

draw in practice.

-If the parties do not pursue the same objectives (“purpose”), or do not r

ely upon the same means for achieving their respective objectives, their r
elationship is likely to be one of “separate controllers” rather than “joint
controllers”.

-Conversely, if the actors in question do determine the purposes and

means of a set of processing operations together, they will be considered
to act as “joint controllers”.
Controller and Processor

-Separate controllers exchange personal data with one another, but do so

without making any joint decisions about the purposes and means of any
specific processing operation. 

-In such cases, each party is independently (yet fully) responsible for e
nsuring compliance of its own processing activities. In principle, the li
ability exposure of each party is also strictly limited to the processing
activities under its own control.
Legal Grounds for Processing

Vital interests
of a person
Public
Legal
Interest/Official
Obligation
Authority

Legal Grounds for

Processing

Legitimate
interests of
Performance
the
of a contract
controller or a
third party
Data Subject’s
Consent
Consent

Consideration for What does this imply?

Consent
Clear, affirmative and -Individual gives consent by clear and affirmative action.
unambiguous -Silence, pre-ticked boxes, or inactivity does not amount to consent
Informed -Individual must be aware of, at least: (1) controller’s identity;
(2) purposes of the processing; and (3) possibility to withdraw
consent
Specific -Consent cannot be “hidden” in the Privacy Policy or the T&Cs.
-The consent covers all processing activities for the same purpose.
-If there are more purposes, consent must be given for each purpose.
-Prohibition of “bundled” consent.

Freely given -Consent must be a genuine and free choice, and individuals must be
able to refuse or withdraw it at any time without detriment.
-Consent not valid when there is a clear imbalance between the
individual and the controller.
-Presumption that consent is not freely given when:
• Individual is not allowed to give separate consent to different
processing activities.
• The provision of service depends on consent while it is not necessary
for the performance.
Legitimate Interests

 Balancing exercise between the interests at stake:

-The interests of the controller or the third party
-The interests and fundamental rights of individuals

 Examples of legitimate interests:

-Fraud prevention
-Ensuring security of network and information systems, and security of related ser
vices offered through such networks and systems.
-whistle-blowing schemes

 Working Party Opinion 06/2016

- be lawful (in accordance with applicable EU and national law)
- be sufficiently clearly articulated to allow the balancing test to be carried out
against the interests and fundamental rights of the data subject
- represent a real and present interest (not be speculative)
Sensitive Data
 New categories of sensitive data added in the GDPR:

 New definitions of sensitive data categories:

-Data concerning health: personal data related to the physical or mental health of
an individual, including the provision of health care services revealing health status.

-Biometric data: personal data resulting from specific technical processing relating
to the physical, physiological or behavioral characteristics of an individual, which
allow his or her unique identification (e.g., facial images or dactyloscopic data).

-Genetic data: personal data relating to the inherited or acquired genetic

characteristics of an individual which give unique information about his or her
physiology or health (e.g., from analyzing biological sample).
DPIA,DPO, Privacy by Design and Default

 Data Protection Impact Assessment (DPIA)

Is there a Identification
Assessment of of the If Remains
high risk
risks for mitigation consult the
for the DPA
individuals measures
individual

 Data Protection Officer (DPO)

-Advises company and its staff on GDPR obligations.

-Monitors compliance with GDPR and internal privacy policies (assignment of

responsibilities; awareness-raising; trainings; audits).

-Provides advice on DPIA and monitors its performance.

-Cooperates with DPAs and acts as a contact point (in case of DPA consultation).
DPIA,DPO, Privacy by Design and Default

 Privacy by Design and Default

“Controllers must ensure that, in the planning phase of processing activities

and implementation phase of any new product or service, data protection p
rinciples and appropriate safeguards are addressed/ implemented.”
(Article 25,GDPR)
Individual’s Rights
 Existing rights:
1. Notice right (transparency requirement).
2. Right of access.
3. Right to rectification.
4. Right to restriction.
5. Right to object.
6. Right to erasure (“right to be forgotten”).
7. Right not to be subject to automated decision-making.

 GDPR introduces new rights:

1. Right to data portability.
2. Data breach notification requirements.
Security and Data Breach Notifications

 General security obligation

-Obligation to assess the risks and implement security measures to mitigate
those risks.
-Applies to both controllers and processors.
-Criteria for identifying the right mitigating measures:
• the state of the art;
• the costs of implementation;
• the nature, scope, context and purposes of processing;
• the risk of varying likelihood and severity for the rights of individuals, in
particular from accidental or unlawful destruction, loss, alteration,
unauthorized disclosure of, or access to personal data transmitted, stored or
otherwise processed.
• Obligation to train staff having access to personal data on the steps to follow
in case of a data breach ( adopt an incident response plan).
Security and Data Breach Notifications

 How are data breaches to be notified?

Controller Notification of Processor

data breach

Notification of
data breach
if “high risk”
Within
without undue delay
72hrs

DPA Data subjects

Processing by Third Parties

 Controller to Processor
-Mandatory contract (data processing agreement) between the controller and
processor.
-The contract must oblige the processor to only process data on the instruction
of the controller and to assist the controller to comply with the GDPR.

 Processor to Sub Processor

-Mandatory contract (data processing agreement) between the processor and
sub-processor.
-The contract must impose on the sub-processor the same obligations as are
imposed on the processor.
Cross Border Data Transfers

 The GDPR maintains existing restrictions and confirms / creates data

transfer mechanisms:
Thank you!