European Union Privacy Law Basics

processor

An entity that processes personal data based on the instructions of a controller.

Individual Rights

- Data Access - Right to Object - Data Rectification - Restriction of Processing - Data Portability - Right to Erasure

Key principles of GDPR

- Fairness and Transparency - Purpose Limitation - Data Minimization - Accuracy - Data Deletion - Security

data subject

A "natural person" who can be directly or indirectly identified by information such as a name, an identification number, location data, an online indentifier (such as a username), or their physical, genetic, or other identity.

Key principle: Accountability

A data conroller is responsible for implementing measures to ensure that the personal data it controls is handled in compliance with the principles of the GDPR. This includes appointing a data protection officer, imposing contractual obligations on processors, and using the principles of "privacy by design" and "privacy by default." Additionally, a data controller must be able to deomonstrate compliance, including by keeping a record of processing activities and conducting privacy impact assessments.

Standard contractual clauses

Also known as "model clauses," these are legal contracts between . parties who are transferring personal data from Europe to countries outside the EEA. The European Commission drafted and approved the standard contractual clauses, which contain detailed obligations related to the protection of personal data.

GDPR

General Data Protection Regulation

Anonymization

If data is truly anonymized, then the data does not constitute personal data under the GDPR. However, the bar to be considered anonymous is high: It must be impossible for any individual to be identified from the data by any further processing or by combining it with other information.

Individual Rights: Data Portability

In certain cases, data subjects have the right to ask a controller to provide their personal data in a structured, commonly used, and machine-readable format (ex: .csv file) so that they can transmit their own personal data to another company.

Key principle: Data Minimization

Organizations can collect only personal data that's adequate, relevant, and limited to what's necessary for the intended purpose

True or False Psuedonymized data is still considered personal data under the GDPR.

True

controller

An entity that determines the purpose and means of processing of personal data.

Key changes that GDPR brings

- Basis of data processing: organizations must have a lawful basis to process the data, and consent must be freely given, specific, informed, and unambiguous. Organizations must be able to prove that they obtained valid consent - Compliance obligations: Numerous direct compliance obligations were set in place on data processors. This includes requirements that processors only process personal data in accordanance with the controller's instructions, not share data with other vendors without consent of the controller, and implement appropriate security measures. Also imposes several more compliance obligations both on data controllers and data processors to implement appropriate policies, assess the privacy impact of changes to business practices, and keep detailed records on data activities. - Breach notifications: Data controllers must report any data breach to their data proctions authority as soon as possible and no later than 72 hours after becoming aware of the breach, unless the breach is unlikely to result in any harm to the data subjects. - Data protection officer: Any organization that regularly processes sensitive personal data on a large scale/involved with regular and systematic monitoring of data subjects must appoint a data protection officer to ensure the organization complies with privacy law. - Enforcement: Authorities can now fine companies up to the greater of €20 million or 4% of a company's annual global revenue, based on the seriousness of the breach and damages incurred. - Use of processors: Data controllers must have written agreements with data processors that ensure processors act only in accordance with the controller's instructions, implement appropriate security measures to protect the data, assist the controller with its compliance obligations, return or destroy personal data at the end of the relationship, and comply with the provisions of GDPR applicable processors. - Profiling: GDPR places certain restrictions on the automated process of personal data to evaluate data subject, or "profiling." These processes can results in significant impact on an individual, such as denial from a job or credit application. - Data subject rights: GDPR provides data subjects with a broad range of rights regarding their personal data. Data subjects can request that the data be corrected, deleted, frozen, or made portable. They also have the right to object certain processing and revoke consent. - One-stop-shop: GDRP provides a central point of enforcement for organizations with operations in multiple EU member states by requiring such organizations to work with a lead supervisory authority for cross-border data protection issues.

Salesforce commitment to privacy

- First Top-10 software company in the world to protect its customers' data with binding corporate rules for processors approved by European data protection authorities. - One of the first companies in the world to certify compliance with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework - Have robust security and privacy programs in place that . meet the highest standards in the industry - Services have earned numerous security-related certifications based on the administrative, technical, and physical safeguards we use to protect their customers' personal data

3 mechanisms that Salesforce uses to facilitate cross-border data transfers

1) Binding Corporate Rules (BCRs) 2) The EU-US Privacy Shield and Swiss-US Privacy Shield 3) Standard Contractual Clauses

What are three methods that organizations can use to operationalize privacy principles into their culture?

1) Privacy by Design 2) Privacy by Default 3) Privacy Protection Impact Assessment

match the term to an example Terms 1) processor 2) sensitive personal data 3) anonymous data 4) processing 5) personal data 6) data subject 7) pseudonymous data 8) controller Examples a) name b) gender, age, phone number, address, likes/dislikes, activity information (ex: reads Vogue every day) c) member of a political party, religion, medical records, copy of records (ex: fingerprints, retinal scan) d) any collection, storage, transfer, sharing, modification, use, or deletion of personal data e) Grand Bank of the North is a financial institution that is providing Marie with a mortgage to buy a house. When Marie first registers on Grand Bank's website to get more information about mortgages, Grand Bank becomes a ________ of the personal data Marie provides. f) Salesforce becomes a ________ of Marie's personal data when Grand Bank uploads her data to its Sales Cloud instance. g) When Marie visits the Grand Bank website community hosted on Community Cloud to learn mroe about the mortgage process, the system records her IP address in the hashed form and links it to the pages that Marie views. The hashed IP address is considered _________, because, although the hashed IP address alone does not identify Marie, it's still possible to link it to other information that relates to Maire. h) The Grand Bank website asks people to leave reviews. The system does not collect any information from reviewers - not even IP addresses. The reviews themselves can be considered ________.

1) f 2) c 3) h 4) d 5) b 6) a 7) g 8) e

Individual Rights: Right to Erasure

Also known as "the right to be forgotten," this right empowers data subject to request that a data controller delete or remove their personal data in situations such as the following: - when the data is no longer needed for the original purpose - when the data subject withdraws consent - when the data subject objects to the processing and the controller has no overriding legitimate interest in the processing

Data Protection Impact Assessments

Analyses of new processing activities to identify and address privacy risks.

processing

Anything that is done to or with personal data.

personal data

Any information relating to an identified or identifiable data subject.

Binding Corporate Rules (BCRs)

Company-wide data protection policies approved by European data protection authorities to facilitate transfers of personal data from the European Economic Area (EEA) to countries outside the EEA. BCRs are based on strict privacy principles established by European Union data protection authorities and require intensive consultation with those authorities. Salesforce was the first Top-10 software company in the world to achieve approval for BCRs for processors.

Individual Rights: Right to Object

Data subjects can in certain cases object at any time to the processing of their personal data, in particular if the processing is for direct marketing purposes.

Individual Rights: Restriction of Processing

Data subjects can request that a controller stop access to and modification of their personal data. For example: the controller can mark or use technological means to ensure that such data will not be further processed by any party.

Individual Rights: Data Access

Data subjects have the right to confirm with a data controller whether the organization is processing their personal data. If it is, the controller must provide the data subject with information about such processing, including the specific data processed, the purpose of the processing, and the other parties with whom such data has been shared.

Individual Rights: Data Rectification

Data subjet can request that a controller correct or complete personal data if the data is inaccurate or incomplete.

anonymous data

Data that cannot ever be connected to an identified or identifiable person.

encryption

GDPR encourages encryption as an effective way to help ensure the security and confidentiality of personal data

pseudonymization

GDPR encourages pseudonymization as a risk-based measure to protect data security and the rights of individuals. Organizations useit as a measureto enable the use of data beyond the original purpose, as it is a sufficient safeguard against risk from profiling.

What is GDPR?

GDPR is a comprehensive privacy law that significantly expands the privacy rights granted to individuals, and places many new obligations on organizations that handle personal information. It establishes rules for how companies, governments, and other entities can process the personal data of data subjects who are in the EU. Some rules were already in existance, some are stricter, some are less burdensome, and some are brand new.

Key principle: Purpose Limitation

Organizations can collect personal data only for specified, explicit, and legitimate purposes. They cannot further process personal data in a manner that's incompatible with those purposes.

Key principle: Fairness and Transparency

Organizations must always process personal data lawfully, fairly, and in a transparent manner

Kep principle: Security

Organizations must use appropriate technical and organizational security measures to protect personal data against unauthorized processing and accidental disclosure, access, loss, destruction, or alteration. Depending on the specific use case and personal data processed, the use of data segmentation, encryption, pseudonymization is recommended, and in some cases required, to help protect personal data.

Key principle: Accuracy

Personal data must be accurate and, where necessary, kept up to date.

Key principle: Data Deletion

Personal data must be kept only for as long as it's needed to fulfill the original purpose of collection.

sensitive personal data

Personal data pertaining to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, information about health, sex life and sexual orientation, and genetic or biometric data.

pseudonymous data

Personal data that cannot be tied to a specific data subject without additional information that is stored seperately, with technological measures to ensure the data is not combined with that additional information.

The EU-US Privacy Shield and the Swiss-US Privacy Shield

The are frameworks designed by the US Department of Commerce, along with the European Commission and Swiss government, to provide companies with a mechanism for complying with European data protection requirements when they're transferring personal data from Europe to the United States. Companies certify compliance with the US Department of Commerce and are subject to oversight and enforcement by the US Federal Trade Commission. Salesforce was one of the first companies to certify uner the EU-US Privacy Shield.

Privacy by Default

This is the idea that organizations must always use the most "privacy friendly" default settings when collecting, processing, or storing data. For example, when giving individuals a choice over how much of their data is processed, the default setting should always be the choice with the least amount of processing. When selecting a retention period, the default must be the shortest possible retention period.

Privacy by Design

This is the idea that when organizations plan a new processing activity or develop or implement a new product, service, or feature, they must design such activities and products with the GDPR principles in mind, to ensure they put appropriate safegaurds in place to protect privacy.