4. 4
Fundamental Rights
EU Charter of Fundamental Rights, article 8(1): “Everyone has the right to the
protection of personal data concerning him or her.”
[≠ ECHR/UDHR] [≠ right to privacy]
Through the expansion of the ‘information society’ the public and private
sector increasingly process larger quantities of Personal Data (e.g.
HR/Customer-data)
EU and national legislative initiatives
5. 5
1995: Directive
‒ Requires national
implementation
‒ EU Data Protection Directive
(95/46/EC)
E.g. Belgium: The Privacy Act
EU Legislative Acts
2016: Regulation
‒ Direct effect in the EU
‒ From the day it enters into force
GDPR: 24 May 2016, but applies from 25
May 2018 (2 year transitional period)
6. 6
Why a new overriding Regulation?
Directive 95/46/EC sought to harmonize national legislations and ensure
free flow of data within the EU
But:
– Still differences in national implementation and application
– Limited cooperation between Data Protection Authorities (‘DPA’)
– Many technological & societal changes in the 20 years since Dir. 95/45/EC
– Strengthen Data Subject's rights
7. 7
Personal Data are everywhere!
“Any information relating to an identified or identifiable natural person”
E.g. Name, location data, IP-address, customer number, …
Stricter rules for special categories of Personal Data (general
prohibition)
‒ Racial or ethnic origin
‒ Political options
‒ Genetic and biometric data, solely for identification purposes
‒ Health data
‒ …
Personal Data
8. 8
Processing
Personal Data
e.g. Customer Data
‒ Name
‒ Date of birth
‒ Address
‒ …
Controller
Determines the purposes
and the manner of the
processing
e.g. iFORi
For marketing purposes,
through an online registration
form
Data Subject Processor
Separate legal
entity
processes on behalf
of the Controller
e.g. Marketer
carries out mail
marketing
9. 9
Main objective
Ensure the right of an individual to make his own decisions regarding the
information that relates to him.
Principles of processing:
‒ Fair, lawful and transparent
‒ Purpose limitation
‒ Data minimization
‒ Accuracy
‒ Storage limitation
‒ Integrity and confidentiality
11. 11
I. Territorial Scope
The GDPR applies when:
‒ Processing in the context of activities of an establishment in the EU
‒ When the data subjects are located in the EU, and the processing is
related to:
• Offering goods or services
• Monitoring of their behavior (in the EU)
12. 12
II. Lawfulness
A valid legal basis to process the data is required:
‒ Consent
• Freely given, specific, informed and unambiguous
• It must be given by a statement or a clear affirmative action (thus opt-
out NOT possible)
• Proof of consent to be provided by Controller
• Withdrawable
• Obtained separately
• Children: when offering information society services, processing is only
lawful where the child is at least 16 years old. Younger = consent by
holder of parental responsibility
13. 13
III. Rights of the data subject
‒ Transparency
‒ Access
‒ Rectify
‒ Erasure (right to be forgotten)
‒ Restriction
‒ Portability
‒ Object
‒ Not be subject to automated decision making/profiling
14. 14
IV. Controllers and Processors
Controllers
‒ Privacy by default & design
‒ Records (Notification)
• Not where <250 employees, unless high risk
• Including general description of security measures
‒ Data breach notification
‒ Privacy Impact Assessment(PIA)/Prior consultation of DPA
‒ Data Protection Officer (DPO)
‒ Data security
15. Data Breach Notification
To Data Protection Authority (DPA)
– 72h deadline
– Specific information
– Documentation
To data subject
– High risk to rights and freedoms
– Clear and plain language
– Exceptions
16. Data Protection Officer (DPO)
When?
‒ Public authority or body
‒ Regular and systematic monitoring of data subjects
‒ Processing of special categories of data
Tasks?
‒ Inform and advise on the obligations pursuant the GDPR
‒ Monitor compliance
‒ Advise on draft of PIA
‒ Cooperate with DPA
‒ External contact
Who?
17. Data Security
Ensure confidentiality, integrity, availability, resilience
By implementing appropriate technical and organizational measures
Risk based approach (the state of the art, the costs of implementation, …)
– Encryption/Pseudonymisation
– Audits
– Back-up and redundancy
18. Pseudonymisation
“The processing of personal data in such a way that the data can no longer be
attributed to a specific data subject without the use of additional information”
– Process beyond original collection purposes;
– Safeguard for processing personal data for scientific, historical and statistical purposes;
– Feature of data protection by design;
– Helps meet Data Security requirements;
– Limits the rights of Data Subjects
19. 19
Processors
‒ Comply with specific obligations
• Records
• Data Security
• PIA/DPO
• Breach notification to Controller
‒ Directly liable
20. 20
V. Transfers
General prohibition on transfers outside EEA (28+3)
– Adequacy Decision
• White list
• Privacy Shield (US)
– Appropriate Safeguards
• Model Clauses (EC/DPA/Ad hoc)
• Binding Corporate rules
• Codes of conduct/ Certification
– Derogations (e.g. explicit consent)
21. 21
VI. Sanctions
Administrative Fines by DPA: effective, proportionate & dissuasive
– Up to, the greater of €20.000.000 or 4% of total worldwide annual turnover of
an undertaking
Private claims by data subjects
– DPA
– Courts for compensation from Controller or Processor
Criminal penalties possible where provided by member states
22. 22
VII. “One-stop-shop”
Controllers and Processors answer to a ‘lead supervisory authority’
– Based on their single or main establishment in the EU
– For cross-border processing
But supervisory authorities may still address infringements
– If it relates to an establishment in its MS or;
– If it substantially affects data subjects in its MS
Consistency through cooperation between DPA’s with EDPB oversight
24. 24
Directive on privacy and electronic communications - Telecoms Law
– Information
– Consent
GDPR
– Processing of personal data
‒ Controller: You/Third party cookie provider
‒ Processor: Third party cookie provider
Cookies
25. 25
Strengthening Cybersecurity within the EU
For sectors which are vital for economy and society:
– Operators Of Essential Services
– Energy
– Transport
– Banking
– Financial market infrastructures
– Health sector
– Drinking water supply and distribtuion
– Digital infrastructure
– Digital Service Providers
– Online Marketplaces
– Online search engines
– Cloud computing services
NIS: Network and Information Security Directive
26. 26
Monitoring E-mail: Belgium: CAO nr. 81 & Privacy Act
Principles: Finality, Proportionality, Transparency
– Professional communications(?): Access (?)
– Non-professional communications: Individualization Procedure
See also recommendations by Privacy Commission
GDPR allows for more specific national rules in the context of employment
Employees
28. 28
Take Action
Not everything has changed, just as not everything has been harmonized
New obligations but also removal of some administrative burdens and
further guidance
(New) technologies introduce new compliance risks, but technologies can
also be used to mitigate risk and/or ensure compliance
Take action now!
GDPR applies from 25 May 2018
In sum, it is a privacy-enhancing technique where directly identifying data is held separately and securely from processed data to ensure non-attribution.
Still personal data!
Other purposes: Encryption and pseudo
Encryption: adhere to Data security principles + no breach notification + for other purposes (appropriate safeguards)
Niet voor: technische cookies
ookies over de inhoud zelf van de transactie/uitdrukkelijk gevraagd: de taalkeuze, de inhoud van een formulier of een winkelmandje; er kan gesteld worden dat deze cookies in feite gedekt zijn door de impliciete toestemming van de betrokken persoon, op voorwaarde dat die persoon geïnformeerd is over het gebruik en dat ze niet langer worden bewaard dan de tijd die nodig is of dat ze door de bezoeker zelf kunnen gewist worden.
protection of privacy in the electronic communications sector
electronic communications networks and services (Framework Directive)