CIPP/E Training Course Terms

[MOD8] Processing Employee Data: Member State Rules

- GDPR is floor for protection § Rules must include suitable and specific measures to safeguard the data subject's: □ Human dignity □ Legitimate interests □ Fundamental rights Particular regard for transparency of processing, transfer of pd w/in economic groups, monitoring systems - Mixing EU data protection law with local employment law can make compliance complicated

[MOD8] Surveillance: Direct Marketing - Postal Marketing

- Not subject to the ePrivacy Directive - Marketers must still satisfy GDPR and national data protection laws, incl. opt-out requests. Some member states' national rules mandate a requirement for consent, HOWEVER, In the absence of mandated consent, controllers may rely on legit interests based on a balancing test: (a) Whether individual is an existing customer (b) The nature of the products and services (c) Whether the controller has previously told the individual that it will not send any direct marketing comms

[MOD6] Transparency Obligation

- Requires controllers to communicate w/DS's in: ▪ An intelligible and easily accessible form ▪ Clear and plain language ▪ Capable of being understood by your audience ——NOTE: if audience is children, it must be understandable by children ▪ Concise communication ▪ Provided free of charge, UNLESS DS's request is illegitimate/excessive/repetitive

[MOD8] Surveillance: Direct Marketing - Telephone Marketing 1. Subject to ePrivacy Directive? GDPR? 2. Telephone Direct Marketing Rules under ePrivacy Directive 3. Automated Calling Systems

- YES subject to the ePrivacy Directive (all of P2P and B2B, and B2C); also to the GDPR Under the ePrivacy Directive, - No consent is generally required for P2P marketing. - Member states decide if P2P marketing should be opt-out or opt-in - Member states may also decide about the treatment and permissibility of B2B direct telephone marketing; - some do not distinguish between P2P and B2B comms, while others apply a more relaxed approach to B2B marketing. Consent IS required for marketing thru automated calling systems. - At a minimum, individuals must have a means to opt out for free — as a result, many member states have nat'l opt-out registers which typically must be checked against the controller's call lists.

[MOD8] Processing Employee Data: Workplace monitoring Personal data about employees collected through monitoring must be: (3)

/1. Held securely; /2. Accessed only by those within the organization with a legitimate reason to view it; and /3. Deleted when there is no longer a need to hold onto it (however, there may be a business need to retain it)

[MOD7] UK data protection act

05/2013 - sets new standards for data protection in accordance with the GDPR

[MOD7] International Transfers: Adequate Safeguards Reliance Order

If data is transferred outside of the EEA, it still needs adequate safeguards Things to be considered ONLY once there is a legal basis to process the pd: 1. Adequacy Decisions; 2. Appropriate Safeguards; 3. Derogations.

[MOD7] Int'l data transfers: member state restrictions

Member State Restrictions on Int'l Data Transfers: - Art. 48 - 3rd country court, tribunal or administrative authority orders for PD may not be authorized unless the request is made under the basis of EU or member state law OR thru an EU treaty - Art. 49(5) - Member states can place limitations on the export of PD for their own reasons of important public interest.

[MOD5] GDPR Right: Objection to Processing /1: When is this right available?

Objection to Processing (A.21) Only available if the data falls w/in 1 of these 3 categories: /1: For Direct Marketing purposes; this incl restricting profiling /2: For public/legit interests, if the controller cannot prove that those reasons are compelling enough to override the DS's interests/rights/freedoms To decide whether controller has proven compelling enough interest: --} Controller could internally organize a discussion between someone who reps the interests of the org and an objective individual (such as the DPO) who reps the interests of the DS /3: For research or statistical purposes DS's objection can be overridden if processing is necessary for the performance of a task carried out in the public interest

[MOD8] Surveillance: Biometric Data 1. When is biometric data considered sensitive data? 2. What is the definition of biometric data in A.14 GDPR? 3. What are the main uses of biometric data in public and private sectors?

Remember: For biometric data to be included as a special category, the purpose for processing must be for uniquely identifying a natural person. Biometric data - defined in Article 4(14) of the GDPR: "Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic (fingerprint) data'. Examples include: DNA, fingerprints, retina and eye patterns, voice, and gait. Main uses of biometric data in public & private sectors: ▪ Identification - who are you? ▪ Authentication - are you who you claim to be?

[MOD8] Surveillance: Surveillance by Private Entities (pretty much MUST be based on what lawful ground?)

Surveillance by private entities must be based on legitimate purposes. In addition to the GDPR, it must comply with national laws concerning confidentiality, privacy, data protection and other civil rights (e.g., employment law).

[MOD9] Appropriate Technical and Organizational Measures - Engaging Processors, Article 28 GDPR --Controllers shall use only processors providing sufficient guarantees to: (4)

The controller shall use only processors providing sufficient guarantees to: /1▪ Implement appropriate technical and org measures /2▪ Meet the requirements of the GDPR /3▪ Ensure the protection of the rights of the data subject /4▪ "sufficient guarantees", which means: (a) A contract (b) Assurance mechanisms, such as appropriate checking and vetting of the processor by the supplier through a 3rd party assessment of certification validations, both before and after creating a K.

[MOD8] Surveillance: Surveillance by Public/State Agencies for national security or law enforcement purposes

This type of surveillance must be conducted in a manner to respect individual rights enshrined in the Charter of Fundamental Rights, specifically the right to a private and family life (Article 7) and protection of personal data (Article 8); although "this should not prevent law enforcement authorities from carrying out activities to Prevent, investigate, detect and prosecute criminal offenses, safeguard against and prevent threats to public security" Key requirements: lawfulness, necessity, proportionality and regard for legitimate interests of the natural person. Laws that fail to appropriately consider the rights and freedoms of data subjects may be struck down by the Court of Justice of the European Union (CJEU).

[MOD6] 1. Timing of notice/info provided to data subjects re: processing of their pd, & 2. When information does not have to be providing to data subjects

Timing of Information disclosure required: --} w/in a reasonable period after obtaining the data (no more than 1mo); OR --} Upon first communication with the data subject when PD is used to communicate --} If disclosure to 3rd party is anticipated information must be provided when the data is first disclosed Info may not have to be provided to the DS if: --} Information provision is impossible or requires disproportionate effort; OR IF --} It would 'render impossible or seriously impair' the purpose of the data processing EXCEPTIONS: --} If Nat'l or EU laws require obtaining or disclosing data and provide appropriate measures to protect individual's interests; OR --} If Nat'l or EU laws require that the PD remain secret

[MOD8] Processing Employee Data: Under GDPR

Under GDPR, ask: what would be your lawful basis for processing employee data? Note—for specific types of legal bases, below: 1. Legal obligation - this means an obligation under EU or member state law ONLY 2. Legitimate interests of the employer - Legitimate interest cannot be adverse to employees' rights and freedoms. - This basis CANNOT be used for processing special categories of data - Public authorities CANNOT rely on this ground 3. Consent - In the empee-emper relationship, freely given consent is difficult to prove bc of the unequal distribution of power between emper and empee ◊ Remember: consent must be a freely given, specific, informed and unambiguous indication of the employee's wishes, signifying agreement. - Even if there is consent, the processing of employee data may still be unlawful or unfair under local law. Under some local labor laws, employers are obligated to obtain consent from employees to process their personal data.

[MOD8] Whistleblowing Schemes 1. What kind of companies must have what kind of systems in place due to what act? 2. What is confusing about USxEU company whistleblowing schemes?

Whistle-blowing schemes have increased in use since the passing of the U.S. Sarbanes-Oxley Act in 2002. /1: Public companies must have a system in place to receive anonymous complaints about potential wrongdoing, including fraud, misappropriation of assets and material misstatements in financial reporting. /2: U.S. companies with EU subsidiaries or affiliates are bound by both U.S. and EU data protection law, thus potentially leading to conflicting obligations, specifically in regard to protecting the identity of the whistle-blower versus protecting the personal data of the employee accused of wrongdoing (under EU data protection law).

[MOD10: Accountability] As described in A.5 of GDPR, "accountability" = ...

ability to demonstrate that a data protection program has been implemented and is run in compliance with the law In practice, this means implementing appropriate and at least proportional technical and organizational measures to ensure the confidentiality, integrity, availability, security of pd

[MOD11: Supervision and Enforcement] GDPR A.4(23) — cross-border processing, defn:

cross-border processing: ( 1 ) 'processing of pd which takes place in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State'; OR ( 2 ) 'processing of pd by a controller/processor in the Union - which substantially affects/is likely to substantially affect data subjects in more than one Member State'. - Article 29 WP Guidance Supervisory Authorities will interpret "substantially affects" on a case-by-case basis

[MOD10: Accountability] Auditing Privacy Program /1: what can be audited? /2: what can result from an unsatisfactory audit?

▪ DPAs have the ability to carry out audits and inspections of premises and processing equipment and operations ▪ DPAs can issue warnings to controllers and processors or even put a stop to business activities if data processing practices are suspicious

[MOD8] Online Behavioral Advertising - Definition & Explanation

▪ OBA = website advertising targeted at individuals based on the observation of their behavior over time. ▪ While OBA may be delivered by the website publisher itself, increasingly OBA happens through third-party advertising networks that the publisher allows to place cookies on individuals' computers with unique identifiers. ▪ As websites track individuals' website activities, profiles are assigned to unique identifiers, enabling ad networks to deliver advertising based on individuals' interests.

[MOD7] International transfers: Adequate safeguards, reliance order

1. Adequacy Decision 2. Appropriate Safeguards 3. Derogations

[MOD2] Personal Data - defined in A. 4(1)

1. Any information, 2. Relating to, 3. An indentified or identifiable, 4. Natural person. Pseudonymous data is protected under the GDPR; Anonymized data is NOT. Note: Truly anonymizing data is not always possible.

[MOD3] Data Protection Roles (4):

1. Data Subject 2. Data Controller - Determines means/purposes of data processing - Can even be public authority or agency bodies, or natural persons - Under GDPR, may be responsible for faults of the processor - When data is being processed, there is ALWAYS a controller 3. Data Processor - Obligations under GDPR are mainly 'accountability-based' - e.g., keeping records, notifying of data breaches, keeping a DPO if necessary. - Entities often will try to characterize themselves as a processor so that they will have fewer legal obligations 4. Supervisory Authority / Data Protection Authority

[MOD11: Supervision and Enforcement] Roles of Supervisory Authorities (6):

1. Promote, monitor and enforce the GDPR. 2. Promote awareness by helping organizations understand their obligations under the GDPR 3. Conduct investigations on GDPR compliance. 4. Protect fundamental human rights, including raising public awareness, by providing information to individuals who have requested information and by managing data subjects' complaints. 5. Draw up annual reports that explain the data protection in their country, current issues and the agenda for the following year. 6. Facilitate the free flow of personal data within the EU.

[MOD5] Rights Granted by GDPR (8): *****************************************************************************

1. Right of Transparent Communication and Information 2. Right of Access 3. Right of Rectification 4. Right to Erasure; 5. Right to Restriction of Processing; 6. Right to Data Portability; 7. Right to Object; 8. Right not to Automated Decision-Making (profiling).

Both controllers (A.4(7)) and processors (A.4(8)) - ( 1 ) Have accountability obligations under GDPR to: (2) ( 2 ) Can be subject to: (2)

Both controllers/processors have accountability obligations under the GDPR to: - keep records that can be provided to SA's upon request; - share responsibilities for compliance Both can be subject to: - large administrative fines if obligations are not met; - compensation claims from individuals. Note: a person may be a controller for one processing operation, and a processor for another operation.

[MOD8] Processing Employee Data: Processing Sensitive Employee Data

Employers must comply with one of the exceptions in the GDPR when processing employee' sensitive data - such as: ▪ Consent ▪ To exercise/defend legal claims ▪ To carry out obligations and rights under EU/member state law or collective agreement In a number of jurisdictions, labor laws restrict the extent to which sensitive employee data can be processed, however local data protection authorities may issue authorizations for specific activities.

[MOD8] Online Behavioral Advertising - GDPR

GDPR: information collected for OBA purposes is personal data. Its definition of personal data specifically provides 'online identifier' as an example (incl. cookies) Guidance note from A.29 WP: ▪ all parties to a third-party ad network relationship potentially may attract compliance responsibilities under the GDPR. These include: ▪ the ad network itself, which will often qualify as a controller; ▪ the website publisher, which may qualify as a joint controller; and ▪ advertisers, which may qualify as independent controllers.

[MOD9] Appropriate Technical and Organizational Measures - Engaging Processors, Processor Contract & Processor Contract Due Diligence ( 1 ) How to Conduct Due Diligence ( 2 ) Pre-contractual Considerations ( 3 ) Processor K Requirements

Pre-Processor Contract Due Diligence: To ensure processors provide appropriate security, controllers should exercise pre-contractual due diligence through methods such as: ▪ requests for information (RFIs); ▪ requests for quotations (RFQs); ▪ site visits; and ▪ audit observations. Pre-contractual considerations may include: ▪ Processor's data protection knowledge ▪ Recent high-profile breaches ▪ Recent and current investigations ▪ Accreditations ▪ The processor's policy framework; and ▪ Sub-processors Processor Contract ▪ Processing k must be in a binding contract or other legal act under EU or member state law. ▪ It may be based, in whole or in part, on standard contractual clauses identified by the European Commission or supervisory authorities. Article 28 stipulates that the contract must set out: (a) the subject matter and duration of the processing; (b) nature and purpose of the processing; (c) type of personal data; (d) categories of data subjects; and (e) obligations and rights of the controller.

[MOD10: Accountability] 1. When must the Supervisory Authority be contacted when conducting a DPIA? 2. What should this communication include?

Required prior to processing when the DPIA indicates a high risk to data subjects that is not mitigated. This communication should include: 1. The DPIA report 2. Responsibilities of the controllers and processors Purposes and means of the processing 3. Measures and safeguards, and 4. Contact details of the data protection officer If the supervisory authority thinks the processing will not be compliant with the GDPR or the controller has not sufficiently mitigated the risks, the supervisory authority will provide advice to the controller and can block processing activities within 8 weeks (or 6 additional weeks in complex situations).

[MOD5] GDPR Right: Restriction of Processing; defn & when ds's can request restriction

Restriction of Processing (A.18) - Allows for PD to continue being stored by the controller without being processed - A.4(3) definition: § The marking of stored personal data - Provides an alternative to erasure if storing of the pd: § Is legally required § Ensures the protection of another person's right § Is in the public interest - Methods of restriction possible (non-exclusive list): § Making the pd temporarily unavailability § Moving the data to a separate system § Noting the restriction in the system § Using the data under very narrow conditions - DS's may request restriction if § Processing is unlawful § Accuracy is contested, and controller needs time to verify § Data is not needed but the DS needs the data to be saved for the establishment/exercise/defense of legal claims § DS objects to the processing - Once right is invoked, processing may only be continued if: § New consent from the DS; § In the public interest; § To protect the rights of another person To exercise/defend legal claims

[MOD9] Appropriate Technical and Organizational Measures - Security Controls - 4 main attributes

Systems must provide prompt notification if a control fails 4 main attributes Confidentiality ▪ Individuals, entities, systems or applications access data on a need-to-know basis Integrity ▪ Controls are in place to ensure data is accurate and complete Availability ▪ Data is accessible when needed for a business activity Resilience ▪ Data is able to withstand and recover from errors or threats

[MOD8] Processing Employee Data: Workplace monitoring 1. Employer Motivations for Workplace Monitoring 2. To Monitor Employees Lawfully, an Employer Must Ensure that the Monitoring is: (4) 3. DLP Tech x Employee Monitoring

§ Employer motivations: ▪ Investigating employees/employees activity ▪ Improving efficiencies ▪ Supporting the employee § Lawful Employee Monitoring To monitor employees lawfully, an employer must ensure that the monitoring is: /1: Necessary, ◊ Can you demonstrate that the monitoring is really necessary? ◊ Consider less intrusive methods first. ◊ Under GDPR, a DPIA may be required under certain circumstances /2: Proportional, ◊ Proportionality: is the monitoring proportionate to the issue that the employer is dealing with? ◊ This is linked to the GDPR principle of Data Minimization ◊ Collective bargaining agreements are useful markers for employers considering the proportionality of monitoring activity. /3: Transparent, and ◊ Transparency: have employees clearly been informed of the monitoring that will be carried out? ◊ NOTE: the employer cannot argue that lack of workplace privacy is acceptable bc empees have been warned ◊ Employers should introduce an acceptable use policy (AUP) /4: Legitimate. ◊ Legitimacy = lawful grounds for collecting and using the pd + fair processing ◊ Legit interest balancing test - emp'ee rights & freedoms vs. legit interests of emp'er ◊ Collection of sensitive data thru monitoring is likely to be problematic ◊ Member states' local data protection law and local employment law may restrict the use of employee monitoring systems ◊ Alternatives to monitoring should always be considered. ◊ Prevention is often a better approach than detection; i.e.,, blocking websites the employer does not want the employee to visit. DLP Technology x Employee Monitoring ◊ Employee monitoring can also occur through the use of data loss prevention (DLP) technology ◊ DLP tools are used to protect IT infrastructure and confidential business information from external and internal threats, but inevitably involve processing employee and other third-party personal data since they operate on networks and systems used by employees.

[MOD10: Accountability] What are the duties of Controllers & Processors to facilitate competent, independent DPOs? (7)

( 1 ) Facilitate communication with and involvement of the DPO in all issues related to personal data protection. Controllers and processors should involve DPOs in all personal data protection matters. ( 2 ) Provide support to the DPO, including resources to help carry out tasks. ( 3 ) Provide access to personal data and processing operations. ( 4 ) Help the DPO maintain expert knowledge of topics and issues related to personal data protection. ( 5 ) Ensure the DPO acts completely independently and does not receive instructions from anyone except the supervisory authority. ( 6 ) Ensure the DPO is not dismissed or penalised for performing their tasks. ( 7 ) Ensure that the DPO is not put in a situation that is a conflict of interest, such as a position that requires determining the purposes and means of processing personal data. ( 8 ) Ensure that the DPO reports to the highest levels of management. This is important because it will prevent messages from getting attenuated before reaching management.

[MOD4] OECD Guidelines; 1. What are they (there are 7); and 2. Who is responsible for complying with these measures?

( 1 ) The OECD Guidelines Are: A. Collection limitation B. Data quality --To the extent necessary for the slated purposes, should be: § Relevant; § Accurate; § Complete; and § Up to date. C. Purpose specification --purposes should be specified not later than at the time of collection --subsequent use should be limited to those purposes not incompatible with the purposes D. Use limitation --Data should not be (processed) other than with: (1) the content of the data subject; or (2) by the authority of law E. Security safeguards --Reasonable security safeguards should be employed F. Openness G. Individual participation --Individuals should have the right to: 1. Obtain data or at least confirmation of the fact that a controller has data on him, from the controller. 2. Have his own data communicated to him w/in a reasonably time, by a non-excessive charge, in a reasonable manner, and in a readily intelligble form. 3. Be given reasons if the request for 1 or 2 is denied, and 4. Challenge data relating to him and if successful to have the data erased/rectificed/completed/amended - Accountability ( 2 ) Who Should be Responsible for Complying: Data controller should be accountable for complying with measures which give effect to the principles above

[MOD4] "Data Processing" definition - from A.4(2)

- Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means

[MOD6] Notice / info provided to data subjects re: processing of their pd - DIRECT COLLECTION OF DATA (there are 10)

- IF DIRECT COLLECTION OF DATA: Controller must provide— /1. Controller/DPO identity and contact details; /2. Purpose and legal basis of processing; /3. Recipients of the PD; /4. Intention to transfer data to 3rd country or int'l org; /5. Legal basis for intended int'l transfers, incl. fact that either the receiving country has an favorable adequacy decision from the commission or that adequate safeguards have been employed as set out in Articles 47/48/49, as well as how to obtain a copy of these safeguards /6. explanation of legitimate interests IF L.I. was used as the legal basis for the collection /7. Storage period OR criteria used to determine the length of storage /8. DS Rights to § withdraw consent at any time, § request access, rectification, processing § lodge a complaint with a supervisory authority, § ++fact that withdrawing consent does not negate the previous processing if the legal basis for the previous processing was Consent /9. Whether the provision of the PD is a STAT or K requirement, as well as whether the DS is obliged to provide the data and the consequences of failing to do so. /10. Info about the use of automated decision-making

[MOD11: Supervision and Enforcement] Supervisory Authorities, What are SA's 3 categories of powers under A. 58 GDPR?

- Supervisory authorities have three categories of powers, as set out in Article 58: 1. Investigative, ▪ Includes: data protection audits - they can require you to hand over information; they can also conduct data protection audits and visit your premises to do so. 2. Corrective, and ▪ SA's can issue warnings and reprimands to controllers and processors that they think are not in compliance with the GDPR; they can order companies to tell data subjects when they've experienced a data breach, if they review the notification that's been given to them and decide that individuals need to be notified. ▪ They can order a company to comply with a data subject's request ▪ They can actually ban processing activities that they consider to be in breach of the GDPR. 3. Authorization and Advisory. ▪ If a DPIA reveals that there is a high risk to individuals, org must consult with them, and the authority can then decide to authorize the action require the org to make changes to it. ▪ They can do things like approve codes of conduct, certification criteria, or BCRs; they can also create versions of model contracts, standard clauses, or review companies who put their own proposed model clauses to them and authorize those.

[MOD4] Lawful grounds for processing personal data(thereare6)

/1 Consent — controllers should keep consent records in case this is requested by supervisory authorities Consent must be: 1. Specific § Data subjects must consent to the specific activity § Consent for scientific research has some flexibility; subjects should be allowed to give consent to certain areas of scientific research 2. Freely Given § Must be clearly distinguishable from other matters § Intelligible § In clear and plain language § Freely given § With drawing consent should be as easy as giving consent § Consent may NOT be used if there is a clear imbalance in power btwn controller & subject § A service or the performance fo a contract should NOT be conditional upon consent 3. Informed § Informed of at least controller's identity, the purpose of processing and information about how processing may affect data subjects § Must be communicated using understandable language and form § It will be the controller's responsibility to demonstrate that data subjects were informed prior to consent 4. Unambiguous § This requires a positive, affirmative action § Silence, pre-ticked boxes, and inactivity DO NOT qualify as unambiguous consent. +++++Notable for consent: Children § For when information society services are being offered - incl. online tech such as social media and apps § Consent must be given by a parent/guardian when the child is x<16yrs old § Member states have the authority to lower this age threshold to 13 if desired. - Contract - Legal obligation - Vital interests - Public interest or official authority /2 Legitimate interests ○ Public authorities MAY NOT use ○ If this basis is used, the burden is on the controller to show that the data subject's fundamental rights and freedoms have not been compromised. § Relationship between controller and data subject is important here - ex: if they are an employee of the controller □ This has been used for the legit purposes of: ® Fraud prevention ® Direct marketing ® Admin purposes ® Information security ○ Controller must also: § Ensure that processing is legal - can be helped by transparency, compliance, and using adequate safeguards § Ensure data is necessary for their legit interests; § Ensure that purpose of processing is a legit interest of the controller or a 3rd party § Inform data subject at the time of collection of the controller's claimed legit interests § Balance legit interests with those of the data subject Uphold rights and freedoms of data subjects /3 performance of a contract, /4 vital interest, /5 legal requirement, OR /6 public interest

[MOD8] Processing Employee Data: Bring Your Own Device (BYOD) 1. Who is the controller for all data processed thru personal employee devices? 2. BYOD policy goals (6)? 3. What should employers introducing BYOD know? 4. Challenges of BYOD?

/1: Emper remains a controller for any pd processed through personal employee devices for work related purposes using the work email settings /2: BYOD Policy Goals: 1. Explain how employees can use BYOD & their responsibilities 2. Align with the GDPR 3. Protect pd 4. Protect organizational data such as IP and trade secrets 5. Enable employee productivity 6. Mitigate network risks /3: In addition to implementing a BYOD policy, employers introducing BYOD should: ▪ know where the data processed via the device is stored and the measures required to keep the data secure; ▪ ensure the transfer of data from the device from the company server is secure to avoid interceptions; ▪ know how to manage data held on the device once the employee leaves the company or the device is lost or stolen (e.g. BYOD management software to remotely locate and delete) ▪ provide notice to employees explaining the consequences of signing up for BYOD and outlining the information the org will be able to access ▪ (remember, emper must still have lawful basis for processing pd even in this scenario) /4: Challenges of BYOD: ▪ Managing security of the org data ▪ Protecting individuals' pd ▪ Mandated BYOD may mean that valid employee consent isn't possible ▪ Implicitly means monitoring employees' pd and maybe sensitive data based on location and activity monitoring ▪ Challenging mobile device management tools: --Remote wiping --Sandboxing

[MOD10: Accountability] 1. When is a DPIA required? 2. Examples of Processing that Will Require a DPIA?

1. When is a DPIA required? if the processing is 'likely to entail a high risk to the rights and freedoms of natural persons'. ▪ Risks should be considered from the points of view of the data subjects and the supervisory authority. ▪ The nature, scope, context, purpose, type of processing and use of new technologies should also be considered. ▪ The use of new technologies, in particular, whose consequences and risks are less understood, may increase the likelihood that a DPIA should be conducted. 2. Article 35 provides examples of processing that will require a DPIA. These are: ▪ Conducting 'a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person'; ▪ Conducting 'processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences'; and ▪ Conducting 'a systematic monitoring of a publicly accessible area on a large scale'.

[MOD10: Accountability] DPIA Main values (2)

A DPIA has two main values: 1. To help with incorporating data protection considerations into organizational planning; and 2. To help with demonstrating compliance to supervisory authorities.

[MOD10: Accountability] What should a DPIA include?

A DPIA should include: 1. A description of the processing, including its purpose and the legitimate interest being pursued 2. The necessity of the processing, its proportionality and the risks that it poses to data subjects; and 3. Measures to address those risks (in other words, the data protection by design and data protection by default controls)

[MOD10: Accountability] DPO role in the DPIA process

A DPO is tasked to 'provide advice where requested as regards the [DPIA] and monitor its performance'

[MOD11: Supervision and Enforcement] /1. What is a lead Supervisory Authority? /2. Identifying the Lead Authority for Controllers / Processors?

A lead supervisory authority is the primary regulator responsible for dealing with the cross-border processing activities of a controller or processor. This includes coordinating operations of all supervisory authorities concerned. How controllers determine lead SA: ▪ IF org has an establishment in one member state, then the lead sa is that country's sa ▪ IF org has establishments in different member states, then the lead sa is the either where processing decisions are made or the place of "central administration" For processors id'ing SA's: ▪ Same as above, UNLESS ▪ Controller is involved in the processing; then lead SA is controller's lead SA.

[MOD8] Surveillance: Article 23 GDPR

A.23 GDPR permits EU or member state law to restrict the rights granted in Chapter 3, 'Rights of the data subject'. Such a restriction must: ( 1 ) respect 'the essence of the fundamental rights and freedoms' AND ( 2 ) be a 'necessary and proportionate measure in a democratic society' (as set out in the Charter and in the European Convention for the Protection of Human Rights and Fundamental Freedoms).

[MOD10: Accountability] Data Protection policies: /1. What are they useful for? ; /2. In which situations would they be helpful? ; /3. Does GDPR mandate the contents of a data protection policy? ; /4. What are data protection policy best practices?

An internal data protection policy may be a useful tool for companies to ensure that their employees are properly trained and follow the GDPR requirements. § Article 24(2) states that data protection policies are not required for all situations but should be used 'where proportionate in relation to processing activities'. § While the GDPR does not specify the required contents of a data protection policy, there are best practices that should be considered in its design. These involve considerations regarding language and goals, such as: ▪ Using concise and understandable language that speaks to the recipients. This may require translating it into local languages. ▪ Considering how metrics may be used to demonstrate results, and ensuring tasks are achievable, realistic, relevant and timely.

[MOD9] Appropriate Technical and Organizational Measures - Assessing risk under GDPR - "[security] measures ensuring appropriate to the risk of processing" factors (7)

Appropriate to the risk of processing means taking into account the: /1: Nature (of the data) - i.e., the more sensitive the data, the stronger the security measures must be employed; /2: Scope of the data (is the volume/variety of data large, or small?); /3: Context of the collection (was it collected in a sensitive context?); /4: Purposes of Processing (what do you actually want the data for?; /5: State of the Art; /6: Cost of implementation; /7: The Risk of Varying Likelihood and Severity for the Rights and Freedoms of Natural Persons.

[MOD10: Accountability] GDPR Article 27: Obligation to Designate a Representative in the EU

Article 27 of the GDPR obligates controllers and processors who process personal data within the territorial scope of Article 3(2) to designate a representative within the member states of the data subjects to whom that processing applies. Exceptions to this obligation include processing that is: ▪1▪ Occasional, not including (on a large scale) processing of special categories of data or processing of personal data relating to criminal convictions; AND ▪2▪ Is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing. the representative must be mandated by the controller or processor to be addressed - in addition to or instead of - the controller/processor, in particular by supervisory authorities and data subjects.

[MOD9] Article 32 GDPR - Security Controller & Processor Obligations

Article 32 GDPR - Security controller and processor obligations "taking into account the state of the art, The costs of implementation, and The nature, scope, context and purposes of processing, as well as The risk of varying likelihood and severity for the rights and freedoms of natural persons, The controller and the processor shall implement appropriate techincal and organizational measures to ensure a level of security appropriate to the risk

[MOD9] Data Breach Notification, Articles 33 and 34 When and how must x inform y of a data breach: - Processors, Controllers - Controllers, SAs - Controllers, Data Subjects

Articles 33 and 34 specify controller and processor obligations for communicating that a personal data breach has occurred. Processors must notify Controllers: Processors must notify Controllers: - w/o undue delay Controllers must notify SAs: - w/o undue delay (and within 72 hours of becoming aware of it) IF the breach is likely to result in a risk for the rights and freedoms of natural persons. A.29 WP, defn of Controller "aware of a breach": --when the controller has a reas. degree of certainty that a security incident has occurred that has led to pd being compromised'. The communication with the supervisory authority should include: ▪ categories of affected data subjects, ▪ approximate number of data subjects and data records, the categories of affected data records, ▪ the name and contact details of the data protection officer or other point of contact, ▪ a description of likely consequences of the breach, and ▪ measures that have been taken or will be taken in response to the breach. ▪ the controller also should keep documentation of all the facts surrounding the breach to be able to prove compliance to the supervisory authority. Controllers must notify data subjects, IF the breach is likely to result in a high risk to the rights and freedoms of those individuals. ▪w/o undue delay and in clear and plain language Notification may not be necessary, however, if one of the following apply: /1: here was prior implementation of appropriate technical and organisational measures that rendered the personal data unintelligible or encrypted; /2: post-breach actions greatly reduce the risk to the rights and freedoms of the data subjects; or /3: individual notice requires disproportionate effort. NOTES: ▪ Even if one or more of the above exceptions applies, equally effective public notification is still required. ▪ Even if the controller decides not to notify the data subjects, the supervisory authority may still decide that the controller needs to do so.

[MOD8] Internet Technology & Communications - cloud computing 1. Cloud Computing defn 2. Commonalities among cloud computing services (3) 3. Why might determining whether GDPR applies to Cloud Computing Servs be difficult? 4. When would a Cloud serv provider would likely be considered a controller? (3) 5. When a cloud serv provider determines technical and organizational means of processing (like the hardware and database structure), are they controllers or processors? 6. If the cloud provider is not directly subject to the GDPR, BUT the cloud provider's customer may be subject to it, what should they do? 7. Refresher: when does GDPR A.3 apply?

Cloud Computing Defn: ▪ The provision of IT services over the internet. ▪ This may be used for various purposes, including to provite infrastructure, platform, or application services, or any combo thereof. Commonalities among cloud computing services are that: 1) Infrastructure is shared among customers and accessible in numerous countries; 2) Customer data is transferred around the infrastructure, according to capacity; and 3) The supplier determines the location, security measures and service standards applicable to the processing. Determining whether the GDPR applies to cloud computing services, as according to Article 3 of the GDPR, may be challenging for cloud service providers, b/c: - there may not always be a clear distinction between whether they are considered a controller or a processor w/regard to certain processing activities. Cloud serv provider would likely be considered a controller when: /1: It determined substantial/essential elements of the means of processing (i.e., data retention periods); /2: It processes data for its own purposes; /3: It determined aspects of the processing outside the controller's instructions. Note: A cloud serv provider may determine technical and organizational means of processing (for example, the hardware and database structure) and still remain a processor. Double note: Even if the cloud provider is not directly subject to the GDPR, the cloud provider's customer may be subject to it, in which case the data processing contract should contain required controls and obligations as set out in the GDPR. Refresher: Article 3 applies when either: ( 1 ) The processing relates to the activities of an EU establishment of the controller; or, ( 2 ) The processing relates to offering goods or services to individuals in the EU, or to monitoring their behavior, **even when** the controller or processor is not established in the EU

[MOD9] Appropriate Technical and Organizational Measures - 1. Consequences of a breach (2) 2. EU Fine Regime

Consequences of a Breach: /1: Bad press and media publicity, and /2: civil and group legal claims EU fines: 2-tiered [TIER1] ▪ 20M or 4% of total worldwide annual turnover (IF significant harm to rights and freedoms, or done knowingly or against DPO/A advice), OR [TIER2] ▪ 10MM euro or 2% of worldwide annual turnover, whichever is highe

[MOD9] Appropriate Technical and Organizational Measures - Engaging Processors, Elements that must be in Processor Contract Stipulations, According to GDPR (8)

Contract Stipulations According to the GDPR: Processors must: /1: Process the personal data only on documented instructions from the controller unless required by EU or member state law /2: Ensure that those individuals authorized to process the personal data have committed themselves to confidentiality or are under appropriate statutory obligation of confidentiality /3: Implement appropriate technical and organisational measures, as set out in Article 32, regarding security of processing /4: Assist the controller in fulfilling its obligation to respond to requests for exercising data subjects' rights /5: Assist the controller in ensuring compliance with obligations specifically related to security and prior consultation with supervisory authorities when required /6: Make available to the controller all information necessary to demonstrate compliance with Article 28 (these processor rules) /7: Delete or return all personal data at the end of the processing services or if instructed by the controller /8: Contribute to audits by the controller or another auditor chosen by the controller, and immediately inform the controller if it believes any instruction infringes the GDPR or member state law

[MOD11: Supervision and Enforcement] Controller/Processor -- Cooperation and Consistency with Supervisory Authorities Chapter VII of the GDPR provides mechanisms to support cooperation and consistency between supervisory authorities, via providing for what 5 things?

Cooperation and consistency Chapter VII of the GDPR provides mechanisms to support cooperation and consistency between supervisory authorities, via providing: 1. Cooperation: Cooperation between the lead supervisory authority and other concerned supervisory authorities to reach consensus 2. Mutual assistance: Provision of relevant information between supervisory authorities 3. Joint operations: Joint supervisory authority investigations and enforcement measures of controllers or processors in several member states or when data subjects are in more than one member state 4. Consistency mechanism: Specific collaborative process between the Commission, the European Data Protection Board, and supervisory authorities for adopting certain measures and ensuring consistent GDPR application 5. Dispute resolution: Mechanism to dispute a decision (if not jointly agreed upon by the supervisory authorities) and the issuance of binding decisions Urgency procedure: Procedure for the immediate adoption of provisional measures within a member state

[MOD7] International Transfers: /1. Name the types of derogations (there are 7) /2. Name the necessary derogation provisions (there are 5)

Derogations are used as a last resort when a country outside the EEA does not have an adequacy decision, and appropriate safeguards are not in place.. - Basically, a derogation is an exemption - they are thus for v limited circumstances and may be approved only in v specific circumstances for certain types of data. 1. Consent --} Consent is carefully defined in the GDPR with a high bar, so valid consent would be difficult to obtain through derogation. 2. Contract (with the DS) --} There must be no way to fulfill the K unless the data is transferred. 3. Public Interest --} PD may be transferred outside the EEA for reasons of public interest recognized by EU or member state law only. 4. Establishment/Exercise/Defense of Legal Claims --} This derogation is designed to cover int'l litigation scenarios. 5. Protection of Vital Interests (of the DS or other persons) --} This derogation is designed for emergency situations. Emergency medical care, etc... 6. Transfer from a register of public information --} Transferring PD w/in a public register must be in compliance w/ any restrictions on access to or the use of the information and honor any conditions imposed by the org that compiled the register 7. Legitimate Interests of the Controller --} This derogation allows int'l data transfer in a wider set of circumstances --} The transfer must be non-repetitive AND concern a limited number of individuals Provisions for derogations- very narrow - derogation measures must still provide for: /1. The protection of individuals' rights, /2. Assessment and documentation /3. Suitable safeguards, /4. Notification to the data subject /5. Supervisory authority of the transfer

[MOD10: Accountability] Data Protection by Design and Default - A.25 GDPR

Design and default - Article 25 GDPR Data protection by design ▪ Begins prior to processing and incorporates data protection considerations into the planning phase. ▪ Orgs should build data protection into their products throughout their lifecycles—specifically at the time of planning the means and type of processing and during the processing itself. ▪ Necessary safeguards should be integrated into the organisation's systems. ▪ The GDPR specifically highlights data minimization and pseudonymization as privacy- enhancing tools. ▪ A data protection program assesses the risks of a product and takes steps to mitigate those risks to meet the data protection by design requirements. Data protection by default ▪ Sustains those considerations into the processing phase, specifically by limiting the collection, processing, storage and accessibility of personal data. ▪ Where a product or service provides users with multiple setting options, the most data protective settings should be the default. ▪ Users should have to "opt in" to any setting that presents greater risks. ▪ By default, a product or service should process only the personal data that is necessary. ▪ Considerations include: purpose of processing, amount of personal data collected, extent of processing, storage period and accessibility.

[MOD9] Appropriate Technical and Organizational Measures - Engaging Processors, Vendor Management Difficult things to determine - VRM - (7)

Difficult to determine: /1: Extent to which controller can rely on the processor to attest and monitor its own reliability, and /2: The extent to which the controller needs to evaluate third parties before and after contracting, incl. conducting audits /3: How to navigate complex contract provisions /4: Contracts between parties with unequal bargaining power or from EU and non-EU jurisdictions /6: How to navigate situations involving cloud computing, which may create difficulties in knowing the precise nature of data processing operations at any given moment in time /7: A checklist may provide issues to consider at the pre-K due diligence state and evidence that the necessary steps were taken.

[MOD8] Online Behavioral Advertising - ePrivacy Directive

E-Privacy Directive: - generally applies to OBA regardless of whether or not the OBA info collected from individuals constitutes personal data. - Article 5(3) of the ePrivacy Directive, as amended in 2009: the use of cookies to store or access information in an individual's computer is allowed only w/consent, after having been provided with clear and comprehensive information.

[MOD8] Surveillance: Direct Marketing - Email 1. Subject to ePrivacy Directive? GDPR? 2. Specific info that must be provided to recipients? Under what statute is this implemented? 3. DSR's x Direct Email Marketing Rqts (4)

Email Marketing (incl. SMS/MMS messages) - YES subject to the ePrivacy Directive; also GDPR Under ePrivacy Directive — specific information that must be provided to recipients of direct marketing via electronic mail. This includes: /1: A valid address to which they can send an opt-out request that is appropriate to the medium of the marketing communication; /2: The clear identity of the sender; /3: Clear indication that the message is a commercial communication; /4: Clearly identified promotional offers with easily accessible, clear, and unambiguous conditions to qualify. /5: Clearly identified promotional competitions/games (if permitted in the member state) with easily accessible, clear, and unambiguous conditions for participation. Data Subject Rights x Direct Email Marketing Rqts: /1: Individuals must have the ability to opt-out at the time their contact details are collected /2: Individuals must be reminded of their ability to opt out in each subsequent marketing communication /3: As with telemarketing, the treatment of B2B direct electronic mail marketing varies across member states, and the GDPR will apply when processing employees' contact details /4: This type of direct marketing generally requires prior consent -->>}Exception: email marketing of controller's own similar prods/servs to individuals whose contact info was obtained by the controller "in the context of the sale of a product or service"

[MOD5] GDPR Right: Erasure (aka, right to be forgotten) /1: When May DS's Request Erasure? /2: Exemptions, member state choice? /3: What Happens When the Right is Invoked? /4: Exeptions - General?

Erasure (aka, "right to be forgotten, A.17) Data Subjects may request erasure under the following conditions - if: /1. The pd is no longer necessary for the purpose for which it was collected /2. The processing was based on consent which is now withdrawn /3. The processing is based on the controller's legit interests, the subject objects, and the controller is unable to prove that their legit interests overcome the ds's own fundamental rights and freedoms /4. The pd must be erased for compliance with EU or member state law /5. If consent was given when the DS was a child Member state exemptions: --} National security --} Crime prevention --} Protection of others' rights and freedoms (incl. the controller's own) When this right is invoked: --} Controllers must stop all processing and delete the PD NOTE: The controller's obligations may extend beyond the controller's own records— --} The original controller must take reasonable steps to inform the controllers which are processing such personal data to erase any links to, or copies/replications of, those personal data. Exceptions: § The exercise of the rights to freedom of expression and information; § Compliance w/EU or member state law for a tast in the public interest or as part of the controller's official authority § Public Health purposes § Archiving in the public interest, scientific or historical research, or statistical purposes IF the erasure seriously impacts the objectives of such statistics Establishment, exercise or defense of legal claims

[MOD8: Surveillance] Surveillance x Individual Rights Under GDPR, Information Provision to DS's for mass/public surveillance

Even where no direct relationship with the affected data subjects, such as where the cameras cover public space, Controllers must still comply with the transparency requirement of the GDPR to the extent possible. Should use: (1) Signs; (2) Prepped to provide reports As the information that may be made available via a sign is unlikely to contain all the details prescribed by Articles 13 and 14 of the GDPR, the controller should be prepared to provide the full information necessary when a data subject makes contact. Preservation of DSR's can become problematic when in the context of mass surveillance, especially CCTV. For example: - an individual may request access to a copy of a CCTV recording they are on. - This may pose the challenge of protecting others' privacy, specifically those on the recording, while also fulfilling the data subject's right to access. - Given that CCTV footage is usually only retained for short periods of time, the right to access is normally of narrower scope compared to other contexts.

[MOD4] Exceptions to the prohibition on processing special categories of data (there are 3)

Exceptions to the special categories processing prohibition: /1: Explicit Consent § Note: consent requirements strictly construed by courts/regulators /2: In the Context of Employment § Applies when NECESSARY for the controller (employer) to comply with a LEGAL OBLIGATION under employment, social securiy and social protection law. § Relevant when data subjects are candidates, employees, and contractors. /3: Vital Interests of the Individual § This criterion is almost identical to the provision in A.6, BUT the controller must prove that it is not possible to obtain consent. § Even in emergency situations when it may not be possible to obtain consent, the controller is expected to attempt to seek consent.

[MOD9] Definition of a "personal data breach"

GDPR defines a 'personal data breach' as: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

[MOD10: Accountability] Article 24 mandates re: Accountability -- in practice, what does accountability mean for controllers/processors? (there are 3 main points)

GDPR mandates that the controller have a data protection program In practice, the text translates to requirements around: /1. Implementing data protection by design and data protection by default Conducting a data protection impact assessment /2. Maintaining data processing records, and /3. Possibly needing to appoint a data protection officer - Note: this is a risk-based approach, controllers must use technical and non-technical measures - Even where accountability obligations apply only to controllers, processors have a duty to support the controller in fulfilling those obligations.

[MOD6] Notice / info provided to data subjects re: processing of their pd - INDIRECT COLLECTION OF DATA (1 additional)

IF INDIRECT COLLECTION OF DATA: Controller must provide source of data & cats of PD concerned --} this is IN ADDITION TO all in the info required to be provided in direct collection

[MOD7] Int'l Data Transfers: Notification to DSARs (3)

IF controller plans to transfer data internationally, they must notify the data subject of: ▪ Existence/absence of an adquacy decision ▪ Intent to transfer personal data internationally ▪ What safeguards are in place

[MOD9] Offshoring - What is required if data is transferred 'offshore'/internationally?

In many controller-processor relationships, personal data is transferred offshore—in other words, it is transferred internationally. Must Use: - Adequacy Decisions, - Appropriate Safeguards, or - Derogations

[MOD7] International Transfers: Appropriate Safeguards /1. What are appropriate safeguards? /2. Name the 6 typical appropriate safeguards

Legal tools designed to ensure recipients of pd who are outside the EEA are bound to protect pd to a european-like standard. Examples of the 6 common appropriate safeguards: 1. BCRs 2. SCCs 3. Schrems II essential equivalence (sometimes called a "Transfer Impact Assessment" is required to determine essential equivalence) 4. Approved Codes of Conduct & Industry Certification Mechanisms 5. Ad hoc contractual clauses (w/ supervisory authority authorization) 6. International Agreements

[MOD8] Surveillance: Location Data - Location Data can be derived from many sources. What are typical examples of these sources? - Can location data be pd?

Location-based services (LBS) may be derived from satellite network-generated data, such as: - GPS; - cell-based, mobile network-generated data; and - chip card-generated data; - implicit location information, such as search terms; - internet traffic information, such as IP addresses; and - device-based location services, such as Google Maps. Many app providers use LBS and have needed to adjust their terms and conditions according to GDPR obligations. Remember: if location data can be used alone or in combination with other information to identify someone, then it will be be considered personal data.

[MOD8] Internet Technology & Communications - Web Cookies 1. Best practices for the use of cookies (4) 2. Web Cookie Consent under GDPR must meet what requirements? 3. Consent Guidance from CJEU 4. When is a third party that places a third-party cookie a controller? 5. Web Cookie Consent under the ePrivacy Directive must meet what requirements? 6. What kind of cookies are exempt from the consent requirement?

Most orgs use consent to process pd in the form of online identifiers like cookies. Best practices for the use of cookies: /1: Storing only encrypted pd; /2: Providing notice; /3: Using persistent cookies only if justified by the need; /4: Setting reasonable expiration dates for cookies. GDPR: Consent must be: A.4 - freely given, specific informed and unambiguous indivation of a data subject's wishes; AND A.7 - presented separate from other matters, in an intelligible and easily accessible form, using clear and plain language Guidance note from the CJEU: cookie consent: Must be obtained through active behavior Applies to processing and storing nonpersonal data information Must include information regarding cookie duration and access by third parties Where the information collected from cookies is pd, its collection and analysis amount to processing subject to the GDPR. Third-party cookies: Third-party cookies, as discussed in this module, are sent by an entity other than the website operator. When the third party determines the means and purposes of processing the personal data gathered from its third-party cookies, it is a controller and must also comply with the GDPR. ePrivacy Directive: The ePrivacy Directive addresses cookies directly in its Article 5(3) - (under member state law) organizations must obtain prior informed consent for storage or for access to information stored on a user's terminal equipment (for example, websites must ask users if they agree to accept cookies, web beacons, etcetera, before they are placed). 'Strictly necessary' cookies and those used solely for carrying out communication transmission are exempt from the consent requirement.

[MOD4] GDPR Application: Territorial & Material Scope

Must meet both (1) territorial scope, and (2) material scope - A.3: Territorial Scope Any of: /1. A controller/processor is processing pd and is estd in the EU, whether or not the actual processing takes place in the EU; /2. Processing the data of of data subjects in the EU, relating to offering goods/servs or monitoring behavior in the EU; OR /3. Processing undertaken by a controller in a place where member state law applies by virtue of public international law - A.2: Material Scope /1: Processing personal data wholly or partly by automated means (this is NOT automated decision-making); OR /2: Processing pd by other than by automated means—IF it forms part of a filing system § EXCLUSIONS: should be construed narrowly. □ Activities outside the scope of EU law □ Law enforcement and public security □ Purley personal or household activities

[MOD10: Accountability] Will a DPO be held personally responsible for non-compliance with data protection requirements?

NO. Article 29 WP - 'No. DPOs are not personally responsible for non-compliance with data protection requirements. It is the controller or the processor who is required to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Data protection compliance is the responsibility of the controller or the processor'.

[MOD9] Appropriate Technical and Organizational Measures - Security in Practice: 1. Needs to implement Security in Practice (2) 2. Policy Framework Needs (8) 3. Physical Security Considerations (4) 4. Incident Detection and Response Measures

Needs: ( 1 ) Management and worker buy-in ( 2 ) Org culture of risk awareness and respect for pd throughout the entire employment lifecycle (from hiring and on-boarding through termination) A policy framework: ( 1 ) Contains all org rules for confidentiality and security ( 2 ) Contains security objective and scope; ( 3 ) Security principles; ( 4 ) Standards and compliance requirements; and ( 5 ) Roles and responsibilities. ( 6 ) Must be approved by mgmt, ( 7 ) Communicated to all emp'ees and relevant external parties, and ( 8 ) Reviewed periodically. Physical security: Considerations may include, for example: ▪ Entry control systems, ▪ Video surveillance, ▪ Lock-and-key, and ▪ Clean-desk policies Incident detection and response measures: ▪ Regular testing of technical and org measures assesses and evaluates their effectiveness. ▪ This also helps to ensure the ability to restore availability and access to pd in a timely manner if it is lost.

[MOD8] Surveillance: Direct Marketing - General 1. Why is this one of the most complex areas of data protection law? 2. What kind of direct marketing comms does the GDPR apply to? 3. What kind of direct marketing comms does the GDPR apply to? 4. Direct Marketing definition 5. Direct Marketing rules under GDPR 6. Direct Marketing rules under e-Privacy Directive 7. Notable forms of Direct Marketing w/clear rules (3)

Note: this is one of the most complex areas of data protection law, because: /1: direct marketing is regulated both by the GDPR and the ePrivacy Directive. /2: Direct marketing triggers both data protection requirements and other countries' consumer protection regulatory requirements. --->>Controllers must meet all national rules applicable to the direct marketing communications they send. The GDPR applies to: - all direct marketing comms, regardless of channel. - online advertising targeted at individuals based on their internet browsing history. The ePrivacy directive applies to: - 'digital' marketing comms - direct marketing communicated over electronic comms networks, such as phone, fax, email, and SMS or MMS. Direct Marketing Definition: A.29 WP Definition: —To fall under the scope of direct marketing, a communication, by whatever means of advertising or marketing material, should be directed toward specific individuals via processing personal data. —Messages that do not process personal data to communicate the marketing message or those that are purely service-related in nature are not considered direct marketing. note: Direct marketing can occur thru mail, email, via third platform messages, push messages or in-app messaging. note: Direct marketing often involves using data collected from devices, such as location data from smartphones and cookies. Direct Marketing Rules under GDPR: The GDPR provides individuals the absolute right to object to any form of direct marketing at any time, when based on consent or legitimate interest. Under GDPR, controllers are required to: /1: Inform individuals, explicitly and clearly, of their right to opt out when they first communicate /2: Allow individuals to opt out access all marketing channels /3: Honor opt-out requests in a timely fashion and at no cost to the individual /4: Remove pd and profiling after an individual has opted out (unless retention of the pd is required); however, controllers should suppress rather than delete contact details—don't want to risk re-acquiring that individual's details later and beginning marketing to them again. note: member states require controllers to amend their contact lists against applicable national opt-out registers before sending direct marketing. Direct Marketing Rules under the ePrivacy Directive—different rules for different channels. - Because the ePrivacy Directive does not have direct effects (like the GDPR), but rather is implemented in national laws, how it is interpreted and enforced differs greatly across member states. - Generally, most forms of digital marketing, other than person-to-person telephone marketing, require prior opt-in consent. Some other notable forms of marketing with clear rules include: - Postal Direct Marketing - Telephone Direct Marketing - Email Direct Marketing

[MOD6] Notice / info provided to data subjects re: processing of their pd /1: when must notification occur?

Notification must occur prior to processing, UNLESS 1. ds already has the information or; 2. the processing results from an indirect collection of data --} IF INDIRECT COLLECTION (like from e.g., data obtained from news media or public records): information may be provided AFTER the collection of the data BUT STILL must be provided before further processing

[MOD8] Surveillance: Electronic Communications Data Collection: Metadata vs. Content

PD generated from electronic communications is categorized as either the content of a communication or the metadata. Content: Content data is protected by the right to freedom of expression. Metadata = Context: ▪ metadata provides context to content. ▪ B/c metadata can be used to identify an individual, it falls within the GDPR's definition of personal data.

[MOD6] Privacy Notices/Policies/Statements/Fair Processing Statements: /1: what is it? /2: what are 3 solutions to having a lengthy privacy notice?

Privacy Notice/Statement/Fair Processing Statement/Privacy Policy --} Statement to the DS that describes how the org collects/uses/discloses data --} Solutions to having lengthy privacy notices may be, for example: - Layered notices - Just in time notices - Icon notices

[MOD9] Appropriate Technical and Organizational Measures - Engaging Sub-Processors --what is required for a processor to engage a sub-processor?

Processor needs written authorization of the controller to engage a sub-processor The same data protection obligations must be imposed on that sub-processor by way of a contract or other legal act The initial processor will remain fully liable if the sub-processor fails to fulfil its data protection obligations.

[MOD8] Surveillance: Surveillance Technologies, Proportionality

Proportionality: The system and technology used for surveillance should be proportional to the purpose, e.g., ▪ remote control, ▪ zooming functionality, ▪ facial-recognition, and ▪ sound-recording may not be necessary. Additionally, key aspects of CCTV and processing of its footage must be proportionate to the purpose, e.g., ▪ operational and monitoring arrangements (such as the visual angle so that monitoring of irrelevant spaces is minimized); retention of footage; ▪ the need to disclose footage to third parties (such as the police); ▪ whether the footage will be combined with other information (in particular, to identify individuals); and ▪ the surveillance of areas where people have high expectations of privacy. Surveillance technologies include (non-exhaustive): ▪ Social Network Analysis ▪ Data mining/profiling ▪ Aerial surveillance ▪ Satellite imaging, ▪ Telecoms surveillance ▪ Biometric surveillance ▪ CCTV cameras ▪ Geolocation technologies

[MOD8] Internet Technology & Communications - Artificial Intelligence (3)

Provisions within the GDPR affect the AI functions of automated decision-making. A.22 highlights DSRs in connection with profiling and automated decision-making. The EU initiative on AI includes: (1) Boosting the technological and industrial capacity and AI uptake across the public and private sectors; (2) Preparing for socio-economic changes as AI modernizes education, training, labour markets and social protection systems; (3) Ensuring ethical and legal frameworks

[MOD5] GDPR Right: Data Portability /1. Purpose of the right to data portability? /2. What the right allows for? /3. When this right applies? /4. Exception?

Purpose of the right to data portability: --} Allows data subjects to obtain and reuse their data for their own purposes and across different services What the right allows for: --} For a data subject to receive pd concerning them that they provided to the controller --} Data may be transferred directly to the data subject for storage on a private device, another controller, or a trusted 3rd party --} Data must be provided in a "structured, commonly used, machine-readable format" -- interoperability being the desired outcome. This right applies when: Note: narrow applicability --} **the processing basis was either consent or contractual necessity --} the pd was collected from the data subject themselves --} The pd was subject to electronic processing --} The controller shall help the individual transfer the data to another organization IF REQUESTED EXCEPTION: --} Controller does not have to comply with this DSR IF there are legit reasons to deny the transmission of the data - e.g., it impinges on the rights and freedoms of 3rd parties; --} it is the organization's responsibility to explain why these concerns are in fact legitimate and are not just a 'hindrance' to the transmission.

[MOD5] GDPR Right: Right Not to be Subject to Decisions Based Solely on Automated Processing /1: when does this right apply? /2: exceptions to this right?

Right not to be subject to a decision based solely on automated processing (A.22) - IF the automated processing produces legal effects, or similarly significantly affects a natural person - Especially applicable in cases of profiling: automatic processing of pd for the purpose of evaluating, analyzing, or predicting personal aspects of a natural person Exceptions: (so long as the processing includes reasonable safeguards to protects the DS's fundamental legit rights/interests/freedoms or to provide a human intervention for the DS to express their point of view and to contest the decision)** --} Decisions authorized by EU or member state law --} Processing necessary to enter into/perform a contract between the controller and the DS --} Decisoins based on the DS's explicit consent --} Decisions based on special categories of pd NOTE: even "sensitive data" may still be included in auto-processing if in public interest or if the controller has explicit consent from the DS

[MOD5] GDPR Rights: Access and Rectification /1. what details should be produced; /2. what is necessary for an org to comply with rectification requests; /3. is extension possible and if so for how long, and how is extension obtained? /4. is there a limitation on the rights of access & rectification?

Right of Access: - Right of access provides data subjects with entitlements to certain information that is being or has been processed, obtainable from the controller upon request. Access details include: /1. Information about the processing, e.g.: --} confirmation of processing --} Why (reason for the processing) --} What (was processed) --} Who (the processed data was shared with - either id's or cats. of those 3rd parties) --} Retention period /2. Info about data subject rights to rectification, erasure, how to lodge complaints Right of Rectification: --} Org must be sure that the data is rectified in every instance (every list or db) in which it's used, which sometimes takes a while Extension: ◊ Possible up to two additional months IF REQUESTED by controller ◊ notification of the extension to the DS + reason for delay, must be sent w/in 1mo of the request, PLUS: --} Info re: the source of the personal data when not collected from the data subject --} Info re: automated decision-making, the logic involved, and possible consequences --} Info about appropriate safeguards for pd trasferred to a 3rd party country or int'l org --} Info should be provided free of charge, unless controller has to make addt'l copies of the data, in which case a reasonable admin fee may be charged. --} Data/info should be made available to the DS's in the same form in which the request was made. - Limitation to rights of access and rectification: --} Controller's need to take reasonable steps to id the requester.

[MOD8] Internet Technology & Communications - Social Networking Services /1: controllers for SNS's (3 potential ones) /2: sensitive pd processing considerations /3: third-party pd processing considerations /4: children's data processing considerations

SNS's: There may be multiple controllers for SNS. /1: The SNS platforms themselves are controllers - b/c they provide the platform for publishing/exchanging personal information, as well as determining the use of personal information for advertising purposes. /2: Authors of apps designed for SNS platforms may be considered controllers as well /3: Users who act on behalf of an org or knowingly extend access to pd beyond selected contacts may be controllers. SNS providers should be open and transparent about the processing of personal data by providing, where relevant: /1: Notice if the personal data will be used for marketing purposes, along with the right to opt out /2: Notice if the personal data will be shared with specific third parties /3: An explanation of any profiling that will be conducted /4: Information about the processing of sensitive personal data /5: Warnings about risks to privacy; and /6: Wanting that if an individual uploads a 3rd party's pd, such as photos, the consent of the 3rd party should be obtained Sensitive personal data, third-party personal data and children's personal data require special considerations for processing via an SNS. Sensitive personal data: Explicit consent usually is required to publish personal data on the internet, unless it is published by the data subject. An SNS requesting personal data (for example, for an individual's profile) must ensure the individual knows that provision of the data is voluntary. Third-party personal data: If third-party individuals' personal data is published (for example, photo tags), the SNS must have a legal basis for processing that personal data. According to the former Article 29 Working Party, third-party data of individuals who are not members of the SNS may not be aggregated to form profiles of those individuals. Children's data: (As discussed in Module 4) processing children's data on the basis of consent requires parental consent. This applies to children under 16 years old; member states may lower this age limit to 13 years old. Additionally, processing on the grounds of legitimate interest may not be possible (GDPR, Article 6[f]). According to the Article 29 Working party, a controller should have regard for the best interests of the child.

[MOD8] Internet Technology & Communications - Search Engines 1. Search Engines are Controllers over what information? 2. When are search engines outside the EU subject to GDPR? 3. Search Engine Marketers are Controllers over what information?

Search engines = Controllers over: /1: pd about their users AND /2: pd contained in third-party webpages. (Google v. AEPD case) By case law created by that case: Search engines outside the EU are also likely subject to the GDPR: /1: IF processing of pd from third-party web pages, /2: AND they have an EU establishment whose activities are economically linked to the search engine's core activities. Search Engine Marketers: When web traffic data is processed by search engines and provided as analytics—such as Google Analytics—to SEMs that fall within the scope of the GDPR, the organizations conducting the SEM are also controllers. Note: SEMs can take certain steps to ensure that aspects of the web traffic analysis process are anonymized, such as ensuring that data, including IP addresses, is not stored in Google Analytics even after the user has accepted the placement of cookies and anonymizing IP addresses before storage or processing takes place.

[MOD4] GDPR Processing Principles, A.5 (there are 9)

The 9 Processing Principles are Broadly Interpreted: -1- Accuracy -2- Accountability -3- Storage Limitation -4- Lawfulness -5- Fairness & Transparency (of Processing Activities) -6- Data Minimization -7- Storage Limitation -8- Purpose Limitation -9- Integrity & Confidentiality

[MOD10: Accountability] - Should a DPO be appointed question - the definitions of 'core activities' 'large scale' 'regular and systematic monitoring'

The Article 29 WP on designation, position and tasks of the DPO: Definition of 'core activities': ▪ processing health data, such as patient's health records, should be considered as one of any hospital's core activities and hospitals must therefore designate DPOs. On the other hand, supporting activities, such as processing employee payments and standard IT support do not qualify as core activities but rather support activities.' ▪ note: processing of patient data in the regular course of business by a hospital WOULD qualify as large scale while 'processing patient data by an individual physician' WOULD NOT -- processing health data is not an individual physician's "core activity" 'Large scale' = 'the number of data subjects concerned,' the 'volume' or 'range' of data items, the 'duration' of the processing, and/or the 'geographical extent of the processing'. 'regular and systematic monitoring'. includes all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising. However, the notion of monitoring is not restricted to the online environment.'

[MOD9] NIS Directive

The Directive on Security of Network and Information Systems (NIS Directive) = May 2018; first EU-wide cybersecurity law. While not specifically concerned with personal data, the Directive aligns with the GDPR and indirectly bolsters the security of personal data within organizations that are regulated by the Directive. Its three focuses include: /1: national capabilities, /2: cross-border collaboration, and /3: national supervision of critical sectors. /1: National capabilities: Compel development of EU member state cybersecurity strategies and structures. /2: Cross-border collaboration: Enhance cooperation between EU member states. A Cooperation Group coordinates National Computer Security Incident Response Teams and develops best practices. /3: National supervision of critical sectors: Improve security levels of essential services (energy, water, transport, health and banking sectors) and digital service providers (online marketplaces, online search engines and cloud computing services).

[MOD11: Supervision and Enforcement] the European Data Protection Board ( 1 ) EDPB x A. 29 WP? ( 2 ) Membership and Rules ( 3 ) Independence of the EDPB

The GDPR replaced the A.29 WP w/ the EDPB NOTE: The Article 29 WP's opinions are still valid under the GDPR to the extent that they align with the Regulation --the EDPB will decide which opinions must be updated. Membership and Rules: ▪ The EDPB = a representative of every member state's SA. ▪ The 30 EEA state have reps in the EDPB, BUT only the representatives from the 27 EU member states may actively participate. ▪ presided over by a Chair who is elected by the EDPB representatives; overseen by the EDP-Supervisor Independence of the EDPB: The EDPB must act independently. Its roles are to: ▪ Monitor for the correct application of the GDPR and oversee the consistency mechanism for ensuring a consistent approach to data protection by the various supervisory authorities ▪ Issue guidance and advice to the Commission for personal data protection on a pan-EU basis; and Preside over the dispute-resolution process

[MOD7] The Trade and Cooperation Agreement /1. What is it? /2. What has the effect of it been?

The Trade and Cooperation Agreement ▪ Signed between the EU and the UK on 12/24/2020 ▪ Allows transfer of PD from EU to UK to continue for up to 6mp while the EC is assessing adequacy decisions under GDPR and the Law Enforcement Directive ▪ The UK has already indicated the it considers the EU data protection regime adequate Effect: PD has continued to flow freely from the UK to EU so far

[MOD8] Surveillance: CCTV

The captured images of individuals are considered biometric data under the GDPR. When collecting such personal data, GDPR compliance considerations should include: Lawfulness of processing; Prior to carrying out surveillance, the controller should determine the lawfulness of processing (for example, legitimate interest; the establishment, exercise or defence of legal claims; in the public interest for a public area; or in the exercise of public authority, such as for monitoring traffic). Note that consent likely would not be possible. A controller may need to rely on a provision in member state law to conduct video surveillance in certain circumstances. Note: bc biometric data (like CCTV images) - when used to identify a natural person - qualifies as a special category of pd under the GDPR, processing can only be carried out if one of the permitted conditions in A.9 apply. A data protection impact assessment (where applicable); required if: ▪ The video surveillance is considered to be high risk; ▪ Processing involves the systematic monitoring of a publicly accessibly area on a large scale; or ▪ If video surveillance has been included by the relevant supervisory authority on a list of data processing operations that require a DPIA. Note: The decision to use CCTV should be made only if other, less intrusive solutions that do not require image acquisition have been considered and found to be clearly inapplicable or inadequate for the intended lawful purpose Prior checking; In many countries, using CCTV triggers the requirement to notify the local regulator, and in some circumstances, seek authorization.

[MOD10: Accountability] DPO Tasks and Responsibilities (6)

The tasks and responsibilities of the DPO are to: ( 1 ) Ensure compliance with GDPR • Advise the controller, processors and employees who carry out the processing of their data protection obligations ( 2 ) Manage risk ( 3 ) Be a point of contact with the SA and with data subjects ( 4 ) Provide advice on, and monitor, data protection impact assessments; AND ( 5 ) Exercise professional secrecy

[MOD10: Accountability] Recording Obligations: When is recording required by GDPR? (4)

These include: /1. processing personal data for organizations of 250 or more employees. /2. If the processing is likely to result in a risk to the rights and freedoms of data subjects; /3. If processing is not occasional; or /4. If processing special categories of data OR data relating to criminal convictions and offenses. ++Note: bc this final trigger is broad, recording obligations likely will apply to many organizations with fewer than 250 employees.

[MOD8] Processing Employee Data: Trade Unions and Works Councils

Trade Unions and Works Councils --->Most common in GER, works councils are kind of like internal trade unions, formed from employee groups ▪ In addition to following data protection law and local employment law, an employer may also be obligated to communicate with a trade union or works council ▪ Depending on local law, works councils may have power over the processing of empee's pd; empers may need to notify/consult with/seek approval for processing from works councils ▪ Works Councils may need to demonstrate GDPR compliance themselves

[MOD10: Accountability] The DPO Role, as described in A.37 GDPR 1. When is a DPO required? (3) 2. Additional Ways a DPO may be appointed 3. DPOs for Pan-Euro Companies

Under the GDPR, a DPO is required in three cases: /1. If the controller is a public authority. /2. If the core activities of the controller or processor include regular and systematic monitoring of data subjects on a large scale. If uncertain, organisations will do best to appoint a DPO. /3. If the core activities of the controller or processor consist of large-scale processing of special categories of data. • Under GDPR, member states may specify additional circumstances that may require a DPO. • Controller/processor may also choose to appoint a DPO voluntarily DPOs for Pan-European Countries • Appointing just one DPO for pan-European companies, while permitted by the GDPR, may prove difficult because of the need for expertise in national and sector-specific laws and the need to communicate with supervisory authorities. Article 37(2) says the DPO must be easily accessible from each establishment. This may be more difficult if the company is very large or geographically extensive.

[MOD7] International Transfers: Adequate Safeguards - Adequacy Decisions /1. Who makes adequacy decisions? What does an adequacy decision indicate? /2. What are the factors to be considered? /3. How often are adequacy decisions reviewed under GDPR? What are the possible outcomes?

Who makes adequacy decisions? What does an adequacy decision indicate? --} The EC makes adequacy decisions based on assessments of 3rd country data protection laws --} An adequacy decision indicates an adequate level of data protection for a country/territories/international orgs/MNC (measures up to a european-like standard) Factors = I DARE GO □ International human rights standards ----- □ Data protection rules, professional rules and security measures, incl. specific rules for onward transfers □ Access to justice □ Respect of the rule of law □ Effective and enforceable rights for individulas, including effective administrative and judicial redress ----- □ General and sectoral law, and case law □ Other international commitments and obligations How often are adequacy decisions reviewed under GDPR? What are the possible outcomes? --} Under GDPR, adequacy decisions are reviewed every 4 years --} Country decisions can then be accepted, affirmed, repealed, suspended or amended. --} Adequacy decisions made under the Data Protection Directive will remain in force until amended, replaced or appealed.

[MOD8] Surveillance: ePrivacy Directive

ePrivacy Directive, aka, the Cookie Directive, aka, the Privacy and Electronic Communications Directive. Sets out rules governing the processing of location, content and traffic data over a public electronic communications network or publicly available communications system—in other words, data passing over public telephone or internet carriers, or services that use a public communications network. Article 5(1) says the confidentiality of the content of communications must be ensured and cannot be intercepted or disclosed to third parties unless there is consent from all users. member states can introduce some exemptions if necessary for very limited purposes, such as national security and law enforcement Monitoring considerations, as discussed earlier in this module, are still relevant: necessity, proportionality, legitimacy and transparency. the ePrivacy Directive allows for the interception of a communication when an organisation has a lawful business purpose (defined by the Member States) for accessing data going through their public networks. For the collection of individuals' precise location-based data, opt-in consent is generally required --} Exception: carriers who need the data to provide the service

[MOD8] Processing Employee Data: Storage of Employee Records & How to Retain Them if it's Necessary

§ Records containing pd should not be retained longer than necessary § After employment ends, an employer's legit basis to retain the records diminishes § Local laws may affect retention periods necessary — e.g., there are some obligations of retention of former employees for some uses, like former machine operators In case retention is necessary, these records should be archived and have internal access to them limited

[MOD2] Special Categories of Personal Data - Article 9(1) - processing of personal data revealing the following "shall be prohibited"

§ There exists significant grey area a/f/a what is special category data - e.g., an x-ray of a broken arm will very likely count as data concerning health, but a picture of a holiday party in which they have a cast on their arm may or may not. CAT. 1 - Racial/ethic origin - Political opinions - Religious/philosophical beliefs - Trade-union membership CAT. 2 - Genetic data - Biometric data for the purpose of uniquely identifying a natural person - Data concerning health - Data concerning a natural person's sex life / sexual orientation