CIPPE II - Data Protection Law & Regulation
Processor
Processes personal data on behalf of controller; has less legal risk than controller unless it breaches its agreement with controller/fails to follow instructions (at which point it becomes its own controller)
Contract
Processing is necessary for the performance of a contract to which the data subject is party or In order to take steps at the request of the data subject prior to entering contracts.
Breach Response
Processor must notify controller. If no risk to the rights and freedoms of natural persons, that's where it stops. OTHERWISE, notify the SA within 72 hours. Report must establish breach scope, consequences, next steps. Required to notify the data subjects only if: there is a high risk to their rights/freedoms, OR the TOMS were not effective (e.g., data obtained was not encrypted), OR subsequent measures can't prevent the high risk of harm. if notifying each subject requires disproportionate effort, can use a public announcement.
Privacy Shield
Replaced the US-EU Safe Harbor standard. Safeguards data being transferred between the EU and US. Enables US companies to more easily receive personal data from the EU/comply with EU privacy laws. Self-certification process that the company complies with EU data protection standards. Used by any company that collects, stores, or processes personal data between the EU and US companies.
Data Protection Impact Assessment (DPIA)
Required when processing is likely to result in HIGH RISK to the rights/freedoms of DS, including - systemic and extensive evaluation based on automated processing, including profiling on which decision are based that produce legal effects or similarly significant effects - large scale processing of special categories or criminal offenses -systemic processing of publicly accessible area on a large scale (CCTV) Must request consultation with S.A. if your DPIA show high risk and there are no measures to mitigate. Must show within 8 weeks of DPIA completion or after an extension of 6 more weeks.
DSR: Portability
Right to request previously supplied data in a structured, commonly used, machine readable format. Where feasible, can instruct the controller to transmit electronically to another controller. Applies to Consent or Contract Bases ; only applies to data provded from the data subject themsleves, and the processing is carried out only by automated means.
European Data Protection Supervisor
The EDPS is the data protection regulator for the EU as an entity. Established by EU regulation, the EDPS ensures that the institutions of the EU; i.e., the commission, council, Parliament, etc., respect the fundamental rights and freedoms of individuals, particularly their rights to privacy. Specifically, the job of the EDPS is to "monitor the application of the provisions of this Regulation to all processing operations carried out by a Community institution or body."
DSAR Response:
"Without undue delay and in any event within 1 month of he receipt of the request." may respond with notice that there will be a further 2 month processing delay along with reason for delay.
When is appointment of a DPO REQUIRED
(1) Core activity is processing special cat. of data or criminal offenses *core activity = central to the underlying purpose of the organization (2) Core activity includes regular and systemic monitoring on a large scale *includes basically all online marketing, apps, wearables, smart devices (3) Controller is a Public Authority (4) Where appointment is required by member state law
Derogations for 3rd Party Transfers
(a) explicit consent of DS after being informed of risk based on lack of adequacy decision or appropriate safeguards (b) necessary to perform a contract (ex: fulfill Amazon order) (c) Public Interest as set out in EU or member state law (d) Establishment, exercise or defense of legal claims (e) vital interests of a DS (f) if the data is from a public general register Derogations are frowned upon- should be used only occasionally, must inform SA of the transfer and the "compelling" legitimate interest
Processor Requirements (art 28)
- Implement TOMS - Contract in writing: Duration, purpose or processing, type of data, categories of data subjects. -only process on controller's documented instructions -keep data confidential - assist controller with DSAR -Delete or return data at end of contract -Demonstrate complaince, including allowing audits and inspection; advise if controller's instructons are illegal Fully liable to controller for work of any permitted sub-processors
GDPR violation: Data Subject's Recourse
- Lodge a complaint with the SA (determined by place of work, residence or location of infringement) -SUE any SA where it is located -SUE any controller or processor (where the C/P is located or at the DS place of work, residence or alleged infringement) Any DS who suffers "material or NON-MATERIAL DAMAGE" from an infringement of GDPR has right right to receive compensation. Non-material include "any significant economic or social disadvantage) Note; these actions may be brought by a nonprofit on behalf of data subjects
Grounds for processing Sensitive Personal Data
-explicit consent (can withdraw at any time)-- ALWAYS use JUST IN TIME notice for this. - compliance with employment laws -vital interest - legitimate activity of a non-profit, foundation, association (for internal organization use only) -Establishment of legal claims - Substantial public interest -archiving in the purpose of public interest - data subject makes sensitive data public
Privacy Notice- Direct Collection Art. 13
1 (a) identity of controller (b)contact of DPO (c)purpose and legal basis of processing (d)legitimate interest if applicable (e)recipeitns or categories of recipients (f)intent to transfer to a third country, adequacy decision or where to get a copy of safeguards; 2(a) Period of time to store (b) statement of data subject rights(c) right to withdraw consent for special categories of processing (d) right to complain to a S.A. (e) Why data is requested/required; consequences of not providing data (f)whether automated decision-making will occur, if so what logic and consequences
6 Legal Bases for Processing
1. Consent 2. Contract. 3. Legal Obligation 4. Vital Interest 5. Public Interest 6. Legitimate Interest
GDPR Territorial Scope (Art 3)
1. Controllers/processors "established" in the EU (established= effective and real exercise of activity through stable arrangements. Interpreted BROADLY) 2. Controllers NOT Established in the EU which: -->offer goods and services to data subjects in the Union --> monitor the behavior of data subjects that takes place in the Union
GDPR Violation: FINES
10M/2% "total worldwide annual revenue" for : violations involving children : poor data by default/design : failure to appoint a DPO where required or impeding DPO operations : False certification claims 20/4% for :failure to respect core principles, consent violations, violations involving special categories, failure to respect data subjects rights (access, erasure, etc.)
Pseudonymous
A way of mitigating risk, common part of TOMS, GDPR still applies because it could arguably still be reversed (not fully anonymous)
Data subjects rights
Access Rectification Restriction Erasure Portability Objection Human intervention on Automated Decision
GDPR Material Scope (Art 2)
Always except: (a) just as a filing system (b) outside union law or regulated by another law -- national security and policy, EU law enforcement, EU institutions themselves (c) purely personal or household activity
GDPR Does not apply to
Anonymous data, dead people
Personal Data
Any information relating to an identified or identifiable natural person (a " data subject") ( name, ID number, location, physical characteristics, EVERYTHING).
Legitimate Interest
Any interest of the controller or third party to process data unless overridden by the rights of the data subject (ex: fraud prevention, internal administration, network security, reporting crimes). BALANCING TEST
DSR: Restriction
Applies to all bases of processing ; prevents future processing. Used when (1) Controller needs time to verify accuracy (2) processing is unlawful but data subject opposes erasure (3) Purpose is no longer relevant but data is needed for establishment/defense of legal claims (4) DS objected and is waiting for a decision. Restricted Data may still be processed with the DS consent, for exercise of legal claims, public interest,- controller must inform the DS prior to lifting restriction
Notice- Indirect Collection Art. 14
Categories of personal data concerned and where did the data come from. Must be sent: - within 1 month at latest after processing -first communication with data subject - when disclosed to another controller Individual notices not required if it would require disproportionate effort or would seriously impair/render impossible the purpose of processing.
Transparency Principle
Clear communicate what data is collected and how it will be used. Privacy notices must be easily accessible and easy to understand (adjusted for the intended subject) Recommended "layered" notices (up to 3 layers)
Processing (Art 4(2)
Collect, store, transmit or delete.
DSR: Access
Controller shall provide a copy of the personal data undergoing processing; must also answer questions that would be answered in the privacy notice. Applies to all bases of processing
Supervisory Authority Interaction
Cooperation Mutual Assistance Joint Operation Consistency Mechanism- (ask the EUDPB for advice where needed) Dispute resolution - via the EUDPB Urgency Procedure -emergency national order of 3 months or less
Data Protection Officer (DPO)
DPO is like a mini S.A. responsible for ensuring compliance with law, conducting DPIA, auditing, training, workign with S.A.s and responding to DSARs. -Can be an employee or contractor - Must be independent can't be punished/penalized for doing his job. - Must be involved in all data protection issues; can do other work only where not in conflict - Must report to highest levels of the business - must be given resources to accomplish tasks and maintain expertise
DSR: Objection
DS can object, which triggers balancing test. Controller must cease processing unless demonstrates legitimate grounds to override the objections. Most commonly seen internally, where a DPO advocates the data subjects view on his behalf. Applies to Public Interest or Legitimate Interest bases
DSR: Erasure Request & Right to Be Forgotten
Data Subject may obtain if: (1) data is no longer needed for original puprose and no new lawful puprose exists (2) basis was consent and consent is withdrawn; (3) DS exercises right to object and controller has no overriding grounds (4) Data processed unlawfully (5) necessary to comply with law. Where controller has made personal data public, Controller must take steps to inform third party of the request and carry it down. applies where lawful bases was consent or legitimate interest
Controller
Determines the Purpose and means of processing; must comply with controller requirements, responsible for the actions of processors except where the processor has breached its contract and becomes its own controller
Documentation Requirements
Documentation is required if: - more than 250 employees. Even if you have <250 if - the processing creates a risk to the rights and freedoms of data subjects - processing is more than occasional -any processing of special categories of data or criminal offenses RECORDS OF PROCESSING REQUIREMENTS Article 30(1) (controllers) and 30(2) (processors) .
European Data Protection Board
EDPB - head of each SA plus the European Data Protection Supervisor
Data Protection by Default
Ensuring that the default settings for any data system are default set to the lowest necessary levels of processing (collecting and processing only what is needed) (Art 25(2))
Data Protection Principles (GDPR Art 5)
Fairness- respect rights of Data Subjects Lawfulness- comply with laws Purpose Limitation- specified and explicit purpose for collection Data Minimization- collection/processing not excessive to purpose Accuracy- every reasonable step to maintain accuracy Storage Limitation- retain no longer than needed for the purpose Integrity & Confidentiality - protect against loss, destruction, damage and unauthorized processing
DSR: Erasure EXCEPTIONS
Free speech and expression, compliance with law or task in the public interest, establishment or exercise of defense or legal claims
Cross-Border Data Transfers (Transfers to Third Countries)
In order to transfer data ouside of the EEA, it requires: 1) An adequacy decision by the Comission that the 3rd country has laws in place to mirror the rights provided under GDPR - OR- 2) demonstrated appropriate safeguards (through Privacy Shiled, SCCs, BCRs, etc) -OR- 3) a Derogation (exemption);- OR- 4) Under an international agreement like a mutual assistance treaty
Binding Corporate Rules
Legally binding internal corporate privacy rules for transferring personal information within a corporate group. BCRs are typically used by corporations that operate in multiple jurisdictions, and they are alternatives to the U.S.-EU Safe Harbor and Model Contract Clauses. BCRs must be approved by the EU data protection authorities of the member states in which the corporation operates.
Vital interest
Literally life and death and NO other legal basis exists. Classic example is an ER requesting the medical history of an unconscious person who cannot consent to the disclosure of his health information.
Codes of Conduct and Certifications
Meant for trade associations or industry groups, so that all members can adopt (ex: IAB or NAA), must be approved by the European Data Protection Board (representatives from all S.A.s of EU) and then ultimately the Commission. Certification is another option proposed in GDPR but but doesn't really exist
"Representatives"
Not to be confused with DPO, a Representative is a person in the EU that represents the company and required unless the processing is "occasional" and "unlikely to result in a risk."
Privacy Shield Principles
Notice Choice (opt-out for most, opt-in for sensitive) accountability security Data integrity & Purpose limitations Access Recourse, enforcement and liability
Personal Data Breach
The accidental or unlawful destruction, loss, alteration, unauthorized discoverer of, or access to, personal data.
Legal Obligation
To comply with member state laws (ex: workers comp, taxes, anti-discrimination laws)
Adequacy Decisions
US- only with Privacy Shield Canada- Commercial Orgs only Argentina Uruguay Israel Japan New Zealand Andora, Faroe Islands, Isle of Man, Jersey and Guernsey (reviewed by commiession every 4 years)
Minor Child Data Subject
Under age 16, can be relaxed to "not below 13" by states; Consent must be from holder of parental responsibility
DSR Human Intervention on Automated Decisions
Where an organization uses automated decisionmaking to make a decision about a DS with "legal effects" or similarly significant affect:, the DS has the right to obtain human intervention and challenege the decision. Applies to Vital Interest, Public Interest, Legitimate Interest
DSR: Rectification
allows data subject to correct innacurate personal data held by a controller; to provide supplementary information where information is incomplete. Applies to all bases of processing
Public Interest
carried out in the public interest or processing in the exercise of official authority vested in the controller
Consent
clear, affirmative act establishing freely given, specific, informed, unambiguous indication of the data subject's agreement to processing of data. Consent requests must be Clearly distinguishable from other matters and each other. Does not work in context of clear imbalance. Data subject may revoke consent at any time.
Appropriate Technical and organizational measures" for confidentiality and security (ART 32)
factors include "state of the art', "costs" and "risk". Measures include: - Pseudonymization -Encryption -Confidentiality & Integrity Availability Resilience -risk response Regular testing
supervisory authority
government body designed to enforce data protection laws, may also be called a DPA
Data Protection by Design
incorporating data privacy as a consideration at the earliest steps of product development (controller responsibility only) Art 25(1)
Supervisory Authority
monitor, enforce, promote and advise on Data Protection. Independent from their member state's government. Powers are: Investigative (audits and site surveys), corrective (warnings, reprimands, compliance orders) authorization and advisory (issue opinions, approve BCRs, ad hoc clauses, codes of conducts, etc.). For breaches impacting multiple states, lead supervisory authority goes to SA of the state with the greatest "substantial affect" on data subjects.
Data Protection Policy
must have one "when proportionate in relation to the processing activities" (Art 24(2))
sensitive personal data
racial or ethnic; political, religious, philosophical beliefs, trade-union membership; genetic data; biometric data FOR THE PURPOSE of identifying a person; health, sex life or sexual orientation (Art 9(1)) Processing prohibited unless exceptions apply
Profiling
the use of computers to combine data from multiple sources and create electronic dossiers of detailed information on individuals including their behaviors, attitudes and preferences.
