EGI Data Protection Agenda: GDPR Requirements & Implementation
Explore EGI's comprehensive agenda on GDPR, covering key principles, roles, rights, and requirements. Learn about lawful data processing, consent, and more for effective data protection implementation at EGI. Stay informed to ensure compliance and safeguard personal data securely.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
EGIs Agenda on GDPR Thomas Schaaf External Data Protection Officer www.egi.eu
Agenda Introduction Basics of Data Protection Key Requirements from GDPR for EGI Data Protection Implementation at EGI Roadmap Timeline Data Processing Agreements 3/21/2025 2
Introduction Important goal of data protection: Protection of personal data from unauthorized disclosure, processing or use Data are regarded as personal data , if they can be clearly assigned to a specific natural person. GDPR = General Data Protection Regulation of the European Union, in effect since May 2018 EGI's data protection agenda 3/21/2025 3
Basics of Data Protection Key principles (Art. 5 GDPR) of data processing: Lawful processing Purpose limitation Integrity and confidentiality Storage limitation Data minimisation Accuracy EGI's data protection agenda 3/21/2025 4
Basics of Data Protection Roles in data protection: Data controller Data subject (natural person) Data processor EGI's data protection agenda 3/21/2025 5
Basics of Data Protection Rights of the data subject (excerpt): Transparent information Rectification Erasure (right to be forgotten) Restriction of processing Data portability EGI's data protection agenda 3/21/2025 6
Key Requirements from GDPR for EGI When is processing of personal data lawful? (Art. 6 GDPR) Consent from the data subject Performance of a contract with the data subject or taking steps at the request of the data subject prior to entering into a contract Compliance with a legal obligation Protecting vital interests Performance of a task carried out in public interest Legitimate interest pursued by the controller or a third party EGI's data protection agenda 3/21/2025 7
Key Requirements from GDPR for EGI What are the conditions for consent from the data subject? (Art. 7 GDPR) Voluntariness and clearly distinguishable from other matters Provability by the controller of the consent given by the data subject Consent texts / forms use clear and plain language Information about the right of withdrawal Revocation of consent at any time must be as simple as giving the consent EGI's data protection agenda 3/21/2025 8
Key Requirements from GDPR for EGI Which information fall under the right of access by the data subject? (Art. 15 GDPR) Purposes of the processing Categories of personal data concerned Recipients to whom the personal data are disclosed Period for which the personal data will be stored (or criteria used to determine that period) Existence of the right to request rectification or erasure or restriction of processing Existence of the right to lodge a complaint with a supervisory authority Information on the data sources (where the personal data are not collected from the data subject) Existence of automated decision-making EGI's data protection agenda 3/21/2025 9
Key Requirements from GDPR for EGI When must data be erased? (Art. 17 GDPR) The personal data are no longer necessary in relation to the purposes. The data subject withdraws consent or objects to the processing. The personal data have been unlawfully processed. The personal data have to be erased for compliance with a legal obligation. EGI's data protection agenda 3/21/2025 10
Key Requirements from GDPR for EGI What does data portability mean and require? (Art. 20 GDPR) The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine- readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided ( ). EGI's data protection agenda 3/21/2025 11
Key Requirements from GDPR for EGI When is a data processing agreement required? (Art. 28 GDPR) Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject. Processing by a processor shall be governed by a contract or other legal act. EGI's data protection agenda 3/21/2025 12
Key Requirements from GDPR for EGI What is subject to technical and organisational measures? (Art. 32 GDPR) Pseudonymisation and encryption of personal data Ensuring confidentiality, integrity and availability of processing systems and services Ensuring timely restoration of personal data after an incident Process for regular testing and evaluation of the effectiveness of technical and organisational measures EGI's data protection agenda 3/21/2025 13
Data protection implementation at EGI Data privacy statements Records of processing activities (processing directory) Processing agreements Data protection impact assessments Technical and organisational measures (TOM) Awareness EGI's data protection agenda 3/21/2025 14
Roadmap We have appointed an external data protection officer. We are fully integrating data protection activities in our integrated management system, and more specifically linking data protection with our information security management. We are continually updating and completing our internal records of any data processing activities we take responsibility for. We are updating our (public) privacy statements and ensure transparency of our data processing activities. Where EGI Foundation is the data controller, we are putting in place data processing agreements with all (potential) data processors. EGI's data protection agenda 3/21/2025 15
Roadmap Where EGI Foundation is the data processor on behalf of a data controller, we are providing all the information and support that the data controller needs to fulfil his obligations. We are conducting data protection impact assessments for ongoing and planned data processing activities that may cause a significant risk of violating individual data subjects rights. We are continually updating and improving our technical and organizational measures implemented to achieve and exceed the required data protection level (in line with our overall level of information security). We are promoting awareness for data protection and related issues inside the EGI Foundation as well as towards our members, partners and suppliers. EGI's data protection agenda 3/21/2025 16
Timeline (excerpt) Until when? What? July 2018 Appointment of a data protection officer August 2018 Changes to mailing lists (ensure consent of data subjects) September 2018 Updating of privacy statements October 2018 Completion of the processing directory November 2018 First awareness campaign (addressing both EGI staff members and potential data processors) November 2018 Full specification of technical and organisational measures (TOM) released December 2018 Final processing agreements with all data processors January 2019 Data protection tasks and processes fully integrated in EGI s integrated management system (IMS) EGI's data protection agenda 3/21/2025 17
Data Processing Agreements Why and what for is a data processing agreement needed? It is required by Art. 28 GDPR. It clarifies the shared responsibility of data protection when data are processed by a party (the processor ) on behalf of another party ( the controller ). 3/21/2025 18
Data Processing Agreements What will EGI Foundation as a data controller provide? EGI Foundation has developed with their data protection officer a template for a data processing agreement that is: Clear in wording (easy to understand) Compact (7 pages) Compliant with legal requirements (GDPR) EGI Foundation is currently preparing processing agreements for all data processing activities where (parts of) the processing is carried out by other parties. 3/21/2025 19
Data Processing Agreements 3/21/2025 20
Data Processing Agreements What will EGI Foundation require from their data processors? Review and sign the data processing agreement. As evidence of secure processing (Art. 32 GDPR) EITHER provide the processor s own overview / documentation of technical and organisational measures (TOM) for review by EGI OR adopt and commit to the TOMs required and provided by EGI 3/21/2025 21
Data Processing Agreements How is the EGI data processing agreement structured? What does it cover? 1. Subject and duration of data processing 2. Categories of personal data involved 3. Purpose of data protection 4. Categories of persons affected 5. Obligations of the processor 6. Technical and organisational measures (TOM) Ref. to Annex 2 7. Collection, deletion and return of data 8. Subcontracting Ref. to Annex 1 9. Inspections by the controller 10. Notification about violations of the data processor 11. Authority of the controller to issue directives 3/21/2025 22
