GDPR Fundamentals: Overview and Scope

Understanding GDPR: Fundamentals Anand Krishnan Senior Analyst-Policy CIPP/E,CIPM, DCPP

Introduction Regulation (EU) 2016/679 of the European parliament and of the council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. The Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way approach data privacy. EU General Data Protection Regulation (GDPR) replaces the Data organizations across the region Enforcement date: 25 May 2018 - at which time those organizations in non-compliance will face heavy fines.

Fundamentals 1. Scope of application of the GDPR. 2. Controller and Processor. 3. Legal grounds for the processing of personal data. 4. Sensitive data. 5. DPIA, DPO, privacy by design and by default. 6. Individual s rights. 7. Security and data breach notifications. 8. Processing by third parties. 9. Cross-border data transfer restrictions.

Scope of Application GDPR applies to EU companies: GDPR applies to non-EU companies: -Controllers and processors established in the EU. -Controller established in the EU but targeting EU individuals by: and processors not -Establishment implies the effective and real exercise of activity through stable arrangements, regardless of its legal form (e.g. Branch, Subsidiary, etc). Offering individuals in the EU, even free of charge. Monitoring the individuals located in the EU of good/services to behaviour of

Scope of Application GDPR applies to personal data: -Any information relating to an identified or identifiable individual. -Any information that can be linked back to an individual by anyone and by any means reasonably likely to be used . -Information qualifies as personal data as soon as an individual can be singled out -Online identifiers (e.g., IP address, unique device ID, cookie identifiers) and location data are explicitly included in the definition of personal data. -Pseudonymized data (i.e., data that cannot be attributed to an individual without the use of additional information) is personal data. GDPR doesn t apply to anonymised data: -Anonymised data are not personal data, but the threshold for anonymisation is very high in the EU. -De-identified data are unlikely to be anonymous data.

Controller and Processor Data Controller Data Processor The entity that, alone or jointly with others, determines: The entity that processes personal data: -Purposes for data processing ( Why ) -Means of data processing -On behalf of the controller -Under the instructions of the controller ( How ) Joint controller v. Separate Controller Sub-Processor

Controller and Processor Joint controller v. Separate Controller -In the case of joint control, several parties jointly determine the purposes and means of one or more processing activities. -The distinction between joint and separate control may be difficult to draw in practice. -If the parties do not pursue the same objectives ( purpose ), or do not rely upon the same means for achieving their respective objectives, their relationship is likely to be one of separate controllers rather than joint controllers . -Conversely, if the actors in question do determine the purposes and means of a set of processing operations together, they will be considered to act as joint controllers .

Controller and Processor -Separate controllers exchange personal data with one another, but do so without making any joint decisions about the purposes and means of any specific processing operation. -In such cases, each party is independently (yet fully) responsible for ensuring compliance of its own processing activities. In principle, the liability exposure of each party is also strictly limited to the processing activities under its own control.

Legal Grounds for Processing Vital interests of a person Public Interest/ Official Authority Legal Obligation Legal Grounds for Processing Legitimate interests of the controller or a third party Performance of a contract Data Subject s Consent

Consent Consideration for Consent What does this imply? Clear, affirmative and unambiguous -Individual gives consent by clear and affirmative action. -Silence, pre-ticked boxes, or inactivity does not amount to consent Informed -Individual must be aware of, at least: (1) controller s identity; (2) purposes of the processing; and (3) possibility to withdraw consent Specific -Consent cannot be hidden in the Privacy Policy or the T&Cs. -The consent covers all processing activities for the same purpose. -If there are more purposes, consent must be given for each purpose. -Prohibition of bundled consent. Freely given -Consent must be a genuine and free choice, and individuals must be able to refuse or withdraw it at any time without detriment. -Consent not valid when there is a clear imbalance between the individual and the controller. -Presumption that consent is not freely given when: Individual is not allowed to give separate consent to different processing activities. The provision of service depends on consent while it is not necessary for the performance.

Legitimate Interests Balancing exercise between the interests at stake: -The interests of the controller or the third party -The interests and fundamental rights of individuals Examples of legitimate interests: -Fraud prevention -Ensuring security of network and information systems, and security of related services offered through such networks and systems. -whistle-blowing schemes Working Party Opinion 06/2016 - be lawful (in accordance with applicable EU and national law) - be sufficiently clearly articulated to allow the balancing test to be carried out against the interests and fundamental rights of the data subject - represent a real and present interest (not be speculative)

Sensitive Data New categories of sensitive data added in the GDPR: New definitions of sensitive data categories: -Data concerning health: personal data related to the physical or mental health of an individual, including the provision of health care services revealing health status. -Biometric data: personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of an individual, which allow his or her unique identification (e.g., facial images or dactyloscopic data). -Genetic data: personal data relating to the inherited or acquired genetic characteristics of an individual which give unique information about his or her physiology or health (e.g., from analyzing biological sample).

DPIA,DPO, Privacy by Design and Default Data Protection Impact Assessment (DPIA) Identification of the mitigation measures Is there a high risk for the individual If Remains consult the DPA Assessment of risks for individuals Data Protection Officer (DPO) -Advises company and its staff on GDPR obligations. -Monitors compliance with GDPR and internal privacy policies (assignment of responsibilities; awareness-raising; trainings; audits). -Provides advice on DPIA and monitors its performance. -Cooperates with DPAs and acts as a contact point (in case of DPA consultation).

DPIA,DPO, Privacy by Design and Default Privacy by Design and Default Controllers must ensure that, in the planning phase of processing activities and implementation phase of any new product or service, data protection principles and appropriate safeguards are addressed/ implemented. (Article 25,GDPR)

Individuals Rights Existing rights: 1. Notice right (transparency requirement). 2. Right of access. 3. Right to rectification. 4. Right to restriction. 5. Right to object. 6. Right to erasure ( right to be forgotten ). 7. Right not to be subject to automated decision-making. GDPR introduces new rights: 1. Right to data portability. 2. Data breach notification requirements.

Security and Data Breach Notifications General security obligation -Obligation to assess the risks and implement security measures to mitigate those risks. -Applies to both controllers and processors. -Criteria for identifying the right mitigating measures: the state of the art; the costs of implementation; the nature, scope, context and purposes of processing; the risk of varying likelihood and severity for the rights of individuals, in particular from accidental or unlawful unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed. destruction, loss, alteration, Obligation to train staff having access to personal data on the steps to follow in case of a data breach ( adopt an incident response plan).

Security and Data Breach Notifications How are data breaches to be notified? Notification of data breach Controller Processor Notification of data breach if high risk without undue delay Within 72hrs Data subjects DPA

Processing by Third Parties Controller to Processor -Mandatory contract (data processing agreement) between the controller and processor. -The contract must oblige the processor to only process data on the instruction of the controller and to assist the controller to comply with the GDPR. Processor to Sub Processor -Mandatory contract (data processing agreement) between the processor and sub-processor. -The contract must impose on the sub-processor the same obligations as are imposed on the processor.

Cross Border Data Transfers The GDPR maintains existing restrictions and confirms / creates data transfer mechanisms:

Thank you!