EU Personal Data Processing Requirements for Legal Entities

EU Personal Data Processing Requirements for Legal Entities
Slide Note
Embed
Share

This project delves into the EU legislative framework on personal data processing, emphasizing the roles of controllers and processors in safeguarding individuals' data. The impact of technology and global players on data processing practices, and the need for stronger data protection rules to mitigate risks and ensure privacy are highlighted.

  • EU
  • Data Processing
  • Legal Entities
  • Technology
  • Privacy
syee722
syee722 Follow

Uploaded on Mar 14, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Personal Data Processing Personal Data Processing requirements for retail and other legal entities EU Twinning Project Expert: David Cauchi Project Activity: 3.7. Date: 05-06 December 2019 This project is funded by the European Union This project is funded by the European Union

  2. Relevant EU Legislative Framework Regulation (EU) 2016/679 ...on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC. Directive 2002/58 EC (amended by Dir. 2009/136) ...on processing of personal data in the electronic communications sector

  3. How does personal data affect you and your business? What is your role?

  4. Controller a person who alone or jointly with others determines the means and purposes of the processing of personal data Who is the Controller? In the case of Business Organisations normally the Data Controller is the Head of Organisation or Managing Director

  5. Processor a person who processes personal data on behalf of a controller Who can be a processor? Any person or entity engaged by the data controller to provide a particular service and entrusted with the processing of personal data necessary to render such service. Examples: Provision of IT services, Accountancy, Web-hosting.

  6. Technology and global players radically changed the way personal data is processed

  7. Need for more stringent and comprehensive rules Information is increasingly exposed to risks and vulnerabilities leading to security breaches, hacking or other unlawful action especially in the globalised online environment. Data protection and privacy challenges are on the increase. Modernising the existing set of data protection rules was part of the EC s Digital Single Market strategy. More accountability, consistency and harmonisation across the EU and not only drive to enhance the minimum global DP standards Rebalancing of rights in a digital world. Provide legal certainty for economic operators.

  8. Main elements introduced under GDPR Accountability Principle Ability to demonstrate compliance. Empowerment to the user User controls through a privacy dashboard. Granular options. Scalable and transparent. Privacy by default settings.

  9. Proximity Principle In cases of cross-border breaches, the data subject may complain to the national DPA. One-Stop-Shop Consistency mechanism and cross-border cooperation between EU DPAs. Risk-based approach and ex-post interaction with DPA Generally, no notification to the DPA.

  10. Scope Material Scope: - applies to the processing of personal data. Territorial Scope: - applies to data controllers and data processors with an establishment in the EU; or - having an establishment outside the EU that targets individuals in the EU by offering goods and services or through the monitoring of their behaviour. In similar cases, a representative established in an EU MS shall be appointed.

  11. Principles Fair and lawful processing; Purpose limitation collected for specified, explicit and legitimate purposes, and not processed for incompatible purposes; Necessity, Proportionality and Data Minimisation Adequate, relevant and not excessive in relation to the purposes for which they are processed; Timely deletion or anonymization; Accuracy; Processed in a secure manner;

  12. Retention of records General requirement Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for the personal data are processed

  13. Examples on Retention Processing operation Legal constraints Operational constraints/ necessity Time frame (example) HR vacation records No legal time frame Calculated annually 1 year after renewal Customer s receipts Tax laws require the retention for 10 years Annual accounting 10 years after accounting year Marketing database No legal time frame Periodic review for accuracy and necessity of data review (cleaning-up) of data every 3 years CCTV cameras No legal time frame Based on necessity Normal footage to be discarded within few days (4-days) extracts concerning incidents can be retained as evidence.

  14. Lawful criteria for processing Consent is one of the criteria but not the only option for processing. Other possible criteria: Performance of a contract Legal obligation Vital interest Public interest Legitimate overriding interest Organisations should carefully consider which legal criteria are appropriate for their processing operations. More stringent criteria apply for special categories of data.

  15. Examples on Lawful Criteria Lawful Criteria Processing operation Consent Use of personal data for marketing and profiling Performance of a contract Employment and HR data/ Suppliers data/ Client s data necessary to provide service (T&C) Legal obligation Financial records (Tax/ Vat/ Accounting)/ Conduct of due diligence for Anti-money Laundering/ Obligations under Employment law Legitimate overriding interest CCTV systems/ Conducting credit checks on business clients (can also be regulated by pre- contractual measures) Examples of special categories Medical examination reports/ Occupational Health and Safety/ Social benefits/ Injury at work

  16. Question is this a valid consent? By accepting our terms and conditions you are granting your unconditional and irrevocable consent to processing of your personal data, including possible disclosure to third parties

  17. Question is this a valid consent? Answer is a clear NO! because it is: Not freely given Bundled-up with terms and conditions Not withdrawable Contains vague wording about possibility of disclosures

  18. Conditions for consent freely-given, specific, informed and unambiguous indication of the data subject s wishes given by a statement or by a clear affirmative action Data controller shall be able to demonstrate that the data subject has consented to the processing of data. Consent shall be presented in a manner which is clearly distinguishable from other matters. Genuine choice and granularity for different purposes Use of clear and plain language in the information clauses. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. The right to withdraw consent (easy to withdraw as to give consent).

  19. Conditions for consent Explicit consent is required: - in certain situations of serious data protection risks - where a high level of individual control is deemed appropriate. Explicit consent applies in the following cases: - processing of special categories of data - data transfers to third countries in the absence of adequate safeguards - automated individual decision making (profiling) Shall be obtained in a clearly separate fashion. Ideally, in a written statement to remove doubt and potential lack of evidence.

  20. Direct Marketing In case of marketing communications sent out by conventional mail / post or made by telephone, the OPT-OUT regime applies. Recital 47 of GDPR recognises that the processing for direct marketing may be regarded as in the legitimate interest. Data subject has the right to object at any time free of charge; This right should be explicitly brought to the attention of the individual.

  21. Electronic Direct Marketing In cases where the marketing communication is sent out by email, fax, automated calling or SMS,the OPT-IN regime applies. prior consent in writing Exception (SOFT OPT-IN) Where the contact details are obtained in the context of a sale and provided that they are used by the same company to market similar products or services. Opt-out must be offered upon obtaining the information and with each message sent.

  22. Processing in an online environment Cookies Active and granular consent for the use of cookies. Distinction between session and behavioural or analytical cookies Processing through other third-party tools embedded to your website (e.g. facebook pixel and google analytics). Ensure specific opt-in through the cookie notification bar. Information should be provided ideally through a specific cookie policy and as part of the comprehensive policy notice

  23. Processing in an online environment Other type of online processing Online service request or contact forms Email subscription Financial data for online payments Processing through other service providers (e.g. Payment service/ website hosting) Considerations Mandatory vs voluntary information? Lawful basis T&C, Consent, other? Sufficient information on privacy notice? Contracts with third-parties?

  24. Information to data subjects Transparency principle Provided at the time the personal data are collected from the data subject Information to include: - purposes of processing - the intention to transfer personal data to a third country - retention period or criteria used to determine that period - the existence of data protection rights - the right to withdraw consent - the right to lodge a complaint with the DPA - the existence of automated decision making.

  25. Information to data subjects Using clear and plain language Easily accessible Use of layered notices to avoid information fatigue: - information is not provided in a single notice - allowing users to navigate through the section they wish to read - first layer should provide a clear overview of the information (information which has the most impact on the data subject) - clear indication where to find additional information Incorporating in the architecture a privacy dashboard a single point where to view privacy information and manage preferences.

  26. Example Layered Notices Source ICO s website

  27. Example Just-in-time notices Source ICO s website

  28. Right of access Data controller shall provide , within one month, a copy of the personal data undergoing processing together with access to other information: - purpose of processing - categories of personal data concerned - recipients to whom the personal data have been disclosed - where possible, the envisaged retention period - the existence of the rights to rectify, erase or restrict processing - the right to lodge a complaint with the DPA - the existence of automated decision-making, including profiling, and other meaningful information about the logic involved and envisaged consequences.

  29. Data subjects rights

  30. Role of Processor GDPR strengthens the obligations by introducing more prescriptive rules on processors: - Controllers shall only use processors providing sufficient guarantees to comply with the GDPR (due diligence should be conducted); - Sub-processing only allowed with prior written authorisation from data controller; - Processing shall be regulated by means of a binding contract mainly requiring processor to act solely upon written instructions from controller (including authorisation for sub-processing) and to ensure security and confidentiality. GDPR extends responsibilities of controllers on processors for certain obligations

  31. Notification of personal data breach Notify DPA - Nature of data breach - Likely consequences YES High Risk? Personal Data Breach >72 hrs - Measures taken or proposed Without undue delay Notify data subjects No - Contact details of DPO Take any necessary measures to mitigate any possible effects on personal data - Likely consequences - Measures taken or proposed No notification required if: - Measures are implemented which render the data unintelligible - High risk not likely to materialise - Involve a disproportionate effort

  32. Security of processing Data controller shall implement adequate organisational and technical measures to ensure a level of security appropriate to the risk including: - pseudonymisation and encryption of data - ability to ensure ongoing integrity and resilience of processing systems - ability to restore the availability of processing systems in a timely manner in the event of an incident - the regular testing, assessing and evaluating the effectiveness of security measures. To demonstrate compliance with the security requirements, the controller may adhere to: - an approved code of conduct (prepared by associations or bodies representing the sector) - an approved certification mechanism.

  33. Data Protection by design and default Considerations should be made at an early stage and throughout the lifecycle (e.g. developing IT systems, introducing legislation or measures affecting privacy). Data protection embedded in the design. Proactive and preventive privacy-friendly measures (e.g. pseudonymisation, data minimisation). Default measures tailored to automatically protect individual s privacy (e.g. preset storage periods, limited data collection and accessibility, user-friendly options).

  34. Data Protection Impact Assessment Required to be carried out by the controller in the following cases: - processing operation is likely to result in high risk; - systematic and extensive evaluation of data subjects based on automated processing (including profiling); - processing of special categories of personal data on a large scale. Prior consultation with DPA required if the Data Protection Impact Assessment indicates that processing involves a high risk to data subjects.

  35. Data Protection Officer Mandatory designation in the following cases: - processing carried out by public authorities/bodies - regular and systematic monitoring of data subjects on a large scale - processing of special categories of data on a large scale. A single DPO may be appointed to serve for a group of undertakings or public authorities/ bodies. GDPR requires DPO to have expert knowledge of data protection law.

  36. Data Protection Officer Position and Tasks of DPO: - staff member or engaged on service contract - should be able to work independently - involvement in data protection matters - informing and advising controller/ processor; - monitoring compliance; - providing advice and monitoring DP Impact Assessment; - cooperate with the DPA; - act as contact point for data subjects and DPAs. Controller or processor shall publish contact details of DPO and communicate them to DPA.

  37. Data Transfers Examples Purchasing or selling goods in different locations Storing data in remote servers abroad Accessing systems from multiple locations Transmitting personal data via email or other commonly used platforms. No additional formalities required for intra-EU transfers (as GDPR applies) Transfers to non-EU/EEA states require one of the following: Adequacy Decision Appropriate Safeguards (e.g. Standard Clauses/ BCRs) Qualify for one of the derogations

  38. Conducting DP Audits Relevant steps Data inventory and mapping of processing operations Determine scope of audit and methodology - Legal & General Compliance - Technical & Data level - Functional or Departmental e.g. Marketing database Prepare and use specific checklists based on the scope Conducting audit involves - information gathering, verification and assessment (reviewing policies & procedures, conducting interviews and also sampling and checking specific records) Report findings and address compliance gaps

  39. Enforcement on SMEs Some examples Data protection Authority Sanction Organisation Type of violation Belgium 10,000 Merchant Use of e-ID to create customer card unlawful access to the e- ID, including photo and barcode, linked to the identification number of the individual. Poland 47,000 ClickQuickNow Obstructing the right to withdraw consent and erasure of data. France 180,000 Active Assurances (car insurer) Insufficient security measures resulting in huge amount of clients documents online. Austria 50,000 Company in medical sector Non-compliance with information obligations and for not appointing a Data Protection Officer.

  40. Final remarks Take stock of the current processes involving personal data and identify any compliance gaps. Review the internal structure of the organisation and introduce the necessary changes as required. Get your business priorities right! Data protection compliance is good business as it builds and enhances your trust with the business community and the public

Related


The Digital Personal Data Protection Act 2023

The Digital Personal Data Protection Act 2023

edelweiss
The Difference Between Legal Information and Legal Advice

The Difference Between Legal Information and Legal Advice

ziva
Legal Entities and Ownership Control in RAD Awardee Training

Legal Entities and Ownership Control in RAD Awardee Training

dasani
The EU General Data Protection Regulation (EU GDPR)

The EU General Data Protection Regulation (EU GDPR)

armand
Role and Responsibility of Legal Aid Panel Lawyers Presentation

Role and Responsibility of Legal Aid Panel Lawyers Presentation

amaury
Overview of Personal Data Protection Bill, 2018

Overview of Personal Data Protection Bill, 2018

kiran
Entity-Relationship Diagrams (ERD)

Entity-Relationship Diagrams (ERD)

menaal
Enhancing Quality Standards of Legal Clinical Education in Ukraine

Enhancing Quality Standards of Legal Clinical Education in Ukraine

watson
Discussion on Temporal Entities and Simultaneity in CIDOC CRM Meeting

Discussion on Temporal Entities and Simultaneity in CIDOC CRM Meeting

ludo
Legal Aid and Access to Justice

Legal Aid and Access to Justice

kindrick
Enhancing Near-Data Processing with Active Routing

Enhancing Near-Data Processing with Active Routing

avienmo
Legal Reasoning: A Comprehensive Insight

Legal Reasoning: A Comprehensive Insight

hetviva
Iowa Legal Aid: Free Legal Assistance for Low-Income Iowans

Iowa Legal Aid: Free Legal Assistance for Low-Income Iowans

abdula
Accounting Standards for Non-Corporate Entities Overview

Accounting Standards for Non-Corporate Entities Overview

awoll
Evolution of Legal Aid: From Inception to Present Challenges

Evolution of Legal Aid: From Inception to Present Challenges

nic_fe
Transaction Processing Systems (TPS)

Transaction Processing Systems (TPS)

ejer
Diverse Social Entities Mining from Linked Data in Social Networks

Diverse Social Entities Mining from Linked Data in Social Networks

vlar
Legal Aid Board and Abhaile: Providing Legal Assistance to Those in Need

Legal Aid Board and Abhaile: Providing Legal Assistance to Those in Need

arevalos_m
The Concept of Person in Legal Theory

The Concept of Person in Legal Theory

fbash
Edge Computing for Optimizing Internet Devices

Edge Computing for Optimizing Internet Devices

lupo_n
Regulation of Non-Personal Data and Its Scope

Regulation of Non-Personal Data and Its Scope

irwi_wi
Data Protection Regulations and Definitions

Data Protection Regulations and Definitions

nicholes_p

More Related Content