REGULATION (EU) 2016/679 General Data Protection Regulation

Similar documents
PROCEDURE RIGHTS OF THE DATA SUBJECT PURSUANT TO THE ARTICLES 15 TO 23 OF THE REGULATION 679/2016

PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2017 ARRANGEMENT OF SECTIONS PART I PRELIMINARY

16 March Purpose & Introduction

closer look at Rights & remedies

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April on the protection of natural persons

Art. I Right to Access to Personal Data

GDPR. EU General Data Protection Regulation. ebook Version 1.2

DATA PROTECTION LAWS OF THE WORLD. Ireland

Data Protection Bill [HL]

DATA PROCESSING AGREEMENT. between [Customer] (the "Controller") and LINK Mobility (the "Processor")

Data Protection Bill [HL]

SUBSIDIARY LEGISLATION DATA PROTECTION (PROCESSING OF PERSONAL DATA IN THE POLICE SECTOR) REGULATIONS

DATA PROTECTION LAWS OF THE WORLD. Romania

Information about the Processing of Personal Data (Article 13, 14 GDPR)

A Legal Overview of the Data Protection Act By: Mrs D. Madhub Data Protection Commissioner

(1) General information

Data Protection Policy. Malta Gaming Authority

International Privacy Laws: Those New EU Data Protection Regulations Do Apply to You!

5418/16 AV/NT/vm DGD 2

Charter on personal data

General Data Protection Regulation

SKILLSTAR 2018 NONPROFIT KFT. DATA PROTECTION POLICY

European Data Protection Supervisor Your personal information and the EU administration: What are your rights?

Adequacy Referential (updated)

The European Union General Data Protection Regulation (GDPR) Barmak Nassirian, Federal Director Thursday, February 22, 2018

DATA PROTECTION (JERSEY) LAW 2018

Aalto Summer continuing education

THE DATA PROTECTION BILL (No. XIX of 2017) Explanatory Memorandum

9091/17 VH/np 1 DGD 2C

PRIVACY POLICY STATEMENT ON THE PROCESSING OF PERSONAL AND SENSITIVE DATA OF THE CUSTOMERS WITHIN THE MEANING OF ARTICLE 13 AND FF. OF REGULATION (EU)

Presentation to IAPP November 18, EU Data Protection. Monday 18 November 13

DATA PROCESSING AGREEMENT

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

PERSONAL DATA PROCESSING AGREEMENT

An overview of the EU General Data Protection Regulation ( GDPR ) for media organisations

Telekom Austria Group Standard Data Processing Agreement

Law Enforcement processing (Part 3 of the DPA 2018)

Declaration on the protection of personal data in the company TAJMAC ZPS, a.s.

CHAPTER [INSERT] DATA PROTECTION BILL Acts [insert] ARRANGEMENT OF SECTIONS PART I PART II

An Bille um Chosaint Sonraí, 2018 Data Protection Bill 2018

Privacy policy. 1.1 We are committed to safeguarding the privacy of our website visitors.

Information leaflet about processing of personal data for Newsletter Recipients (hereinafter Data Subject)

RESTREINT UE/EU RESTRICTED

GDPR and India. By ADITI CHATURVEDI Edited by AMBER SINHA. The Centre for Internet and Society, India

EUROPEAN UNION. Brussels, 3 February 2006 (OR. en) 2005/0182 (COD) PE-CONS 3677/05 COPEN 200 TELECOM 151 CODEC 1206 OC 981

DATA PROTECTION LAWS OF THE WORLD. Ukraine

***I DRAFT REPORT. EN United in diversity EN 2012/0010(COD)

SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)... 16

Indian data protection regime Close to reality? Personal Data Protection Bill, 2018

8557/16 SHO/ra 1 DGD 2

DATA PROTECTION ACT 1998 SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER NOTICE OF INTENT

GDPR: Belgium sets up new Data Protection Authority

ARTICLE 29 Data Protection Working Party

FUJITSU Cloud Service K5: Data Protection Addendum

ARTICLE 29 DATA PROTECTION WORKING PARTY

PUBLIC COUNCILOF THEEUROPEANUNION. Brusels,7November /1/13 REV1. InterinstitutionalFile: 2012/0011(COD) LIMITE

Annex - Summary of GDPR derogations in the Data Protection Bill

Investigatory Powers Bill

The Ministry of Technology, Communication and Innovation and The Data Protection Office. Workshop On DATA PROTECTION ACT 2017

Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679

PE-CONS 71/1/15 REV 1 EN

Introduction. The highly anticipated text of the Irish Data Protection Bill 2018 has been published.

DATA PROCESSING ADDENDUM

General Rules on the Processing of Personal Data SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)...

COMP Article 1. Article 1 Subject matter and objectives

An Bille um Chosaint Sonraí, 2018 Data Protection Bill 2018

SUPPLIER DATA PROCESSING AGREEMENT

Factsheet on the Right to be

Data Protection Act 1998 Policy

Individual Rights (Data Privacy) Policy

The Act on Processing of Personal Data

BASECONE DATA PROCESSING AGREEMENT (BASECONE AS PROCESSOR)

Data processing agreement

Privacy International's comments on the Brazil draft law on processing of personal data to protect the personality and dignity of natural persons

The Data Protection (Commencement, Amendment and. Transitional) (Bailiwick of Guernsey) Ordinance, 2018

ASSEMBLEIA DA REPÚBLICA [PORTUGUESE PARLIAMENT]

DATA PROTECTION LAWS OF THE WORLD. Colombia vs Germany

COUNCIL OF THE EUROPEAN UNION. Brussels, 13 September 2011 (OR. en) 10093/11 Interinstitutional File: 2011/0126 (NLE)

DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. of 24 October 1995

TEMPLATE FOR PROCESSOR AGREEMENTS BETWEEN MUNICIPALITIES AND IT SUPPLIERS - version 1.0 of 3 April 2017

6153/1/18 REV 1 VH/np 1 DGD2

the Commisslone Mazionale per le Sodeta e la Borsa in ItaJy and the Public Company Accounting Oversight Board In the United States

Free and Fair elections GUIDANCE DOCUMENT. Commission guidance on the application of Union data protection law in the electoral context

STATOIL BINDING CORPORATE RULES - PUBLIC DOCUMENT

Official Gazette No. 55 issued on 8 May Data Protection Act. of 14 March 2002

Cyber Crime and Cyber Security Data Protection Implications and Financial Regulation Expectations

LAW OF THE REPUBLIC OF ARMENIA ON PROTECTION OF PERSONAL DATA CHAPTER 1 GENERAL PROVISIONS

A Modern European Data Protection Framework Safeguarding Privacy in a Connected World

Counter-Terrorism COUNTER-TERRORISM ACT Act. No Commencement (LN. 2010/083) Assent Relevant current provisions

Deliverable D2.1 Legal framework analysis report

Brussels, 16 May 2006 (Case ) 1. Procedure

Data Processing Addendum

Implementation of GDPR and control mechanisms of data protection institutions in Germany

EVIDENCE ON THE DATA PROTECTION BILL. For the House of Commons Public Bill Committee by Open Rights Group and Chris Pounder

Application for a visa for a long stay in Belgium This application form is free

EU STANDARD CONTRACTUAL CLAUSES (PROCESSORS)

How to read the analysis?

Charities & Not-for-Profits Overview of Data Protection Law

Data Processing Agreement. <<Health Service Provider>> The National Message Broker Service known as Healthlink

Act No. 502 of 23 May 2018

Transcription:

REGULATION (EU) 2016/679 General Data Protection Regulation An overview to the new legal data protection requirements impacting on all businesses trading within the EU John Greenwood Compliance3 June 2016

GDPR: a new citizens charter for Europe

GDPR background: what, why and when? The EU GDPR is a European wide regulation focussing on the protection of all personal information by any organisation operating within Europe An EU Citizens charter There was previously no EU wide standard, each individual country had their own standard, many of which had not been updated since the early 1990 s 4 years in the making and became effective on 24 th May 2016 and must become law in each Member State by 25 th May 2018 Applies to all global entities trading with EU citizens in Europe

Regulation (EU) 2016/679: GDPR the document and positioning 173 whereas positioning statements covering 31 pages 11 Chapters and 99 Articles across 57 pages Chapter I General Provisions (Articles 1 to 4) Chapter II Principles (Articles 5 to 11) Chapter III Rights of Data Subject 5 Sections (Articles 12 to 23) Chapter IV Controller & Processor 5 Sections (Articles 24 to 43) Chapter V Transfers of Personal Data (Articles 44 to 50) Chapter VI Independent Supervisory Authorities (Articles 51 to 59) Chapter VII Cooperation & Consistency (Articles 60 to 76) Chapter VIII Remedies, Liability & Penalties (Articles 77 to 84) Chapter IX Processing Situation Provisions (Articles 85 to 91) Chapter X Delegation & Implementation Acts (Articles 92 & 93) Chapter XI Final Provisions (Articles 94 to 99) Supported by 2 Directives passed at the same time (EU) 2016/680 Processing of personal data by competent authorities for prevention of crime (EU) 2016/681 Use of passenger name records for prevention of terrorism and crime

Key aspects: security provision and key restriction Article 5 All personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ( integrity and confidentiality ). Article 9 Processing of personal data revealing biometric data for the purpose of uniquely identifying a natural person, shall be prohibited.

Key aspects: Chapter III rights of data subject Article 13 Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information: List of 14 notification requirements Article 14 Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information: List of 13 notification requirements

Key aspects: information requests Article 15 The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: List of 8 requirements Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer. The controller shall provide a copy of the personal data undergoing processing.

Key aspects: rights to rectification & erasure (right to be forgotten) Article 16 The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement. Article 17 The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay

Key aspects: rights to data portability and to object Article 18 The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided. Article 20 Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

Key aspects: breach notification & communication Article 33 In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55 Article 34 When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

Key aspects: appointing the data protection officer (DPO) Article 37 The controller and the processor shall designate a data protection officer in any case where: the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.

Key aspects: role of data protection officer (DPO) Article 38 The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data. 4.5.2016 L 119/55 Official Journal of the European Union EN The controller and processor shall support the data protection officer in performing the tasks referred to in Article 39 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge. The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalised by the controller or the processor for performing his tasks. The data protection officer shall directly report to the highest management level of the controller or the processor. Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under this Regulation. The data protection officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Union or Member State law. The data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.

Key aspects: penalties Article 83 Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10,000,000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year Articles 8,11, 25-39, 42 & 43 Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20,000,000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher: Articles 5, 6, 7 & 9 Essentially main principles for Storing, Processing or Transmitting personal data Article 84 Such penalties shall be effective, proportionate and dissuasive

Headlines: the basics Regulation it s effective now and will become law 25 th May 2018 Guilty till proven innocent evidence of compliance with the articles GDPR is already what is required data security by design & default Requirement for a Data Protection Officer - independence Implementation will require change impact assessments Member state certification & evidence of compliance shall be transparent to consumers

If you need help in understanding the impact of GDPR on your customer contact processes and need an independent DPO, then please get in touch here to help. John Greenwood john@compliance3.com +44 7767 354 354 www.compliance3.com

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback