Machine-readable Data and GDPR Compliance

Questions and Answers

What characteristics define data as 'machine-readable' according to the text?

• Containing large amounts of unstructured text with embedded metadata.
• Designed for human readability with detailed annotations and summaries.
• Formatted for easy identification, structured, and in a common format. (correct)
• Encrypted to ensure data privacy and accessible only by authorized personnel.

According to the European Data Protection Board, what is the relationship between interoperability and machine-readable data?

• Machine-readable, structured, and common data are means to achieve interoperability. (correct)
• There is no direct relationship between interoperability and machine-readable data.
• Interoperability is a prerequisite for data to be considered machine-readable.
• Interoperability ensures data encryption but does not relate to machine readability.

Based on Article 2 lit.a of Decision No 922/2009/EC, what does 'interoperability' entail?

• The process of converting data into a machine-readable format.
• The ability of unrelated organizations to work together towards shared goals by exchanging data through their ICT systems. (correct)
• The ability to process data quickly without regard for accuracy.
• The legal requirement for all ICT systems to use the same software and hardware.

According to Article 22 of the GDPR, what right do data subjects have regarding automated decisions?

The right to obtain human intervention, present their views, and contest decisions made by automated processing. (B)

What condition must be met for the right to intervene in automated decisions to be meaningful?

Manual intervention must be possible, and the automated decision must be rectifiable. (B)

According to Recital 71, what measures should be implemented to protect data subjects from errors and discrimination in profiling?

Implementing technical and organizational measures to correct inaccurate data and minimize the risk of error and discrimination. (A)

According to the content, what is a key aspect of ensuring fair and transparent processing in profiling?

Taking measures to correct factors leading to inaccurate personal data or decisions that discriminate against the data subject. (D)

What is the relationship between fair data processing and the minimization of errors in profiling according to the GDPR?

Fair processing involves minimizing the risk of errors that lead to inaccurate personal data or discriminatory decisions. (D)

According to GDPR, under what condition can an exception regarding data processing be applied, ensuring purpose limitation and confidentiality?

If appropriate technical and organizational measures are adopted to protect the data subject's rights and freedoms. (D)

What does the GDPR's Integrity principle primarily ensure regarding personal data processing?

Protection against unauthorized modifications and deletions of personal data. (C)

Under GDPR, what constitutes a breach of confidentiality regarding personal data?

When the processing of personal data is carried out without authorization. (B)

According to GDPR, what is the role of the controller regarding accountability and verifiability?

The controller must demonstrate compliance with GDPR principles and ensure processing aligns with the regulation. (C)

Which article of the GDPR specifically addresses the confidentiality obligations of data protection officers?

Article 38, paragraph 5 (D)

How does GDPR ensure the confidentiality of personal data concerning systems, services, processors, and individuals under the controller's or processor's authority?

Via obligations to follow the controller's instructions, confidentiality agreements, and legal confidentiality duties. (B)

Which of the following measures best exemplifies maintaining the integrity of personal data under GDPR?

Implementing version control systems to track and rectify unauthorized data modifications. (C)

A company experiences a data breach where unauthorized individuals gain access to personal data. What immediate actions should the company take to comply with GDPR regarding confidentiality?

Assess the scope of the breach, secure the compromised systems, and notify the appropriate supervisory authority. (D)

Under the GDPR, what is the overarching requirement for data controllers regarding compliance?

Demonstrating accountability and verifiability of compliance efforts. (A)

Which of the following rights is explicitly granted to data subjects under Chapter III of the GDPR (Articles 12-23)?

The right to access information, rectification, erasure, and data portability. (A)

According to the GDPR, what specific action must a data controller take to facilitate the rights of data subjects?

Create conditions through technical and organizational measures to grant data subjects' rights. (B)

Which of the following measures is NOT explicitly required by the GDPR to ensure data subject rights are respected?

Implementing mandatory data encryption for all personal data at rest and in transit. (D)

What aspects of system and data management does Article 32 of the GDPR emphasize to promote data protection through technology?

Availability, resilience, restorability and evaluability of systems, services, and data. (D)

What is the primary obligation of controllers under Articles 33 and 34 of the GDPR in the event of a personal data breach?

To report the breach to supervisory authorities and notify affected individuals, as required. (D)

Which of the following is the MOST accurate description of 'Data Protection by Default' according to Article 25 para. 2 GDPR?

Ensuring that only necessary personal data is processed to achieve a specific purpose. (B)

What is the significance of 'evaluability' as mentioned in Article 32 para. 1 lit. d GDPR, in the context of data protection?

The capability to assess and test the effectiveness of security measures. (A)

Which principle is primarily supported by the GDPR requirement of data protection-friendly default settings (Art. 25 para 2 GDPR)?

Data Minimisation (A)

Ensuring that data can be recovered after a system failure primarily addresses which principle related to data protection?

Availability (B)

Which of the following GDPR articles emphasizes the need for organizations to implement processes for monitoring data processing activities?

Art. 33 (A)

According to GDPR, which of the following scenarios primarily relates to the principle of 'Intervenability'?

Providing data subjects the right to rectify inaccurate personal data. (A)

What is the MOST direct implication of GDPR Article 35 for data controllers?

Conducting Data Protection Impact Assessments (DPIAs) for high-risk processing activities. (B)

Which of the following best describes the relationship between 'Resilience' and other data protection principles according to the provided text?

Resilience supports Availability, Integrity, and Confidentiality: maintaining data access, accuracy and protection from unauthorized access. (B)

A company uses an algorithm to automatically assess credit risk. Which of the following measures would BEST address the GDPR's requirements regarding 'freedom from error and discrimination in profiling'?

Implementing a system to allow individuals to intervene in the automated decision-making process. (D)

What is the primary objective of 'Evaluability' as it relates to data protection under GDPR?

To enable the assessment and verification of data protection measures. (D)

Which of the following measures primarily contributes to data recoverability after a major system failure?

Establishing and testing a contingency plan for restoring processing activities. (D)

Redundancy of hardware, software, and infrastructure primarily enhances which two aspects of data security?

Availability and resilience. (A)

Why is documenting data syntax essential for data security and management?

It supports data availability and recoverability. (C)

Implementing checksums and electronic signatures primarily aims to protect which aspect of data?

Integrity (C)

How does hardening IT systems, by reducing secondary functionalities, enhance data security?

It minimizes potential attack vectors and enhances resilience. (C)

What is the primary benefit of regularly testing processes to determine functionality, risks, and security gaps?

Maintaining data integrity and resilience. (D)

Which of the following strategies is most effective in maintaining the timeliness of data?

Establishing processes for regular data updates. (A)

Protection against external influences, such as espionage and hacking, directly supports data integrity and which other security goal?

System resilience. (C)

What is the primary purpose of the GDPR?

To protect the fundamental rights and freedoms of natural persons, especially their right to personal data protection. (B)

When did the GDPR come into effect and become enforceable in the European Union?

It came into effect on 25.May 2018, after a two-year transitional period that started on 25.May 2016. (B)

Which articles of the GDPR specifically address the security of processing personal data?

Articles 5, 12, 25 and 32. (B)

What kind of measures does the GDPR require to adequately reduce the risks to the rights and freedoms of natural persons?

A combination of appropriate technical and organizational measures. (A)

How does the GDPR influence the development and application of the Standard Data Protection Model (SDM)?

The GDPR serves as a legal basis, requiring the SDM to include technical and organizational measures that align with GDPR principles. (B)

Within the context of the Standard Data Protection Model, what is the role of 'Contractor, Project Management, User'?

These are key roles and stakeholders whose responsibilities and interactions are defined within the SDM's operational framework. (D)

What is the purpose of the 'Keyword Index' within the documentation of the Standard Data Protection Model?

To provide a quick reference to key terms and concepts within the SDM framework. (A)

Where can one find a structured collection of concrete measures to implement data protection requirements as part of the SDM?

In the 'Appendix Catalogue of reference measures'. (C)

Flashcards

Act (in SDM)

A phase in the SDM that focuses on continuous improvement and making informed decisions regarding data protection measures.

Organisational Framework (in SDM)

The section of the document outlining how the SDM integrates with BSI Grundschutz and defines roles like contractor, project management, and user.

BSI Grundschutz

A German IT security standard that provides a structured approach to information security management.

Operating Concept (for SDM)

The operational guidelines defining how the Standard Data Protection Model should be applied within an organisation, including roles such as contractor, project management and user.

GDPR

The EU regulation standardizing data protection laws across Europe.

GDPR Focus

Rights and freedoms of natural persons, particularly their right to protection of personal data.

GDPR Requirements

Technical and organisational measures that reduce risks to individual's rights and freedoms.

GDPR Article Examples

Articles 5, 12, 25 and 32 GDPR define the fundamental requirements on the security of processing personal data.

Accountability

Controllers must demonstrate compliance with GDPR principles.

Data Subject Rights

Data subjects have specific rights under Chapter III of GDPR.

Support Data Rights

Controllers must enable data subjects to exercise their GDPR rights.

Identity Authentication

Confirm the identity of individuals requesting data.

Data Protection by Default

Integrate data protection measures into systems by default.

System Availability

Ensuring systems, services, and data are accessible when needed.

System Resilience

The ability of systems to withstand and recover from disruptions and attacks.

Breach Notification

Controllers must report data breaches to authorities and affected individuals.

Data Integrity

Ensuring data is protected against unauthorized changes and deletions.

Data Confidentiality

Protecting personal data by preventing unauthorized access or use.

Confidentiality Breach

A breach where personal data is processed without proper authorization.

Accountability (GDPR)

The data controller's legal obligation to demonstrate GDPR compliance.

GDPR Exception Safeguards

Technical and organizational measures to enforce purpose limitation and confidentiality when processing special categories of data.

Protection Against Data Damage

GDPR principle that ensures data is processed in a way that prevents accidental loss, destruction, or damage.

Verifiability (GDPR)

GDPR requirement for controllers to demonstrate compliance with data processing principles.

Integrity Measures

Ensuring protection against unauthorized modifications and deletions of personal data.

Machine-Readable Data

Data structured for easy identification, recognition, and extraction by software applications.

Interoperability

The ability of diverse organizations to interact towards common goals through data exchange.

Right to Human Intervention

The right to have a human review and potentially rectify an automated decision.

Fair Profiling

Ensuring profiling processes are fair and transparent to protect data subject's rights.

Profiling Error Correction

Correcting factors leading to inaccurate data or discriminatory decisions in profiling.

Profiling Risk Minimization

Minimizing the risk of errors in profiling through technical and organizational measures.

Data Protection in Profiling

Safeguarding rights, freedoms, and legitimate interests when processing or profiling data.

Article 22 GDPR

Article 22 of GDPR provides data subjects rights relating to automated processing operations.

Data Accuracy

Ensuring data is accurate and suitable for its purpose.

Accountability and Verifiability

Demonstrating compliance with GDPR principles and being able to verify data processing activities.

Support Data Subject's Rights

Allowing data subjects to exercise their rights (access, rectification, erasure, etc.).

Identification and Authentication

Ensuring only authorized individuals can access data

Availability

Data is easily available when needed.

Restorability

The ability to recover data after an incident.

Evaluability

A process assessing data protection requirement implementation.

Consent Management

Managing user permissions and preferences for data processing.

Protection Against External Influences

Protecting against malware, sabotage, and force majeure events to ensure continuous system operation.

Documentation of Data Syntax

Documenting the structure and format of data to ensure its correct interpretation and use.

Redundancy of Hardware and Software

Duplicating critical hardware, software, and infrastructure components to prevent single points of failure.

Repair and Backup Processes

Implementing procedures for fixing issues and creating data backups to restore systems after failures.

Contingency Plan for Restoring Activity

Creating a plan to restore processing activities in case of a disruptive event.

Restriction of Write Permissions

Restricting permissions to prevent unauthorized data modification.

Checksums and Electronic Signatures

Using cryptographic techniques to ensure data authenticity and prevent tampering.

Hardening of IT Systems

Minimizing unnecessary features to reduce potential vulnerabilities.

Study Notes

• The Standard Data Protection Model (SDM) is a method for advising and controlling Data Protection based on uniform protection goals.
• SDM Version 3.0a was adopted by the 104th Conference of the Independent Data Protection Supervisory Authorities of the Federation and the Länder on November 24, 2022.
• The provider is the Conference of the Independent Data Protection Supervisory Authorities of the Federation and the Länder.
• The publisher is AK Technik of the Independent Data Protection Supervisory Authorities of the Federation and the Länder.
• The editor is UAG "Standard Data Protection Model" of the AK Technik of the Independent Data Protection Supervisory Authorities of the Federation and the Länder.
• The head of the UAG "Standard Data Protection Model" is Martin Rost of Unabhängiges Landeszentrum für Datenschutz Schleswig Holstein.
• The Head of the AK Technik is René Weichelt, Der Landesbeauftragte für Datenschutz und Informationsfreiheit Mecklenburg-Vorpommern.
• The document may be used for commercial and non-commercial purposes, copied, printed, altered, processed, transmitted and merged with other data.
• Users must ensure the source note includes the provider's name, the annotation "Data licence Germany – attribution – Version 2.0" or "dl-de/by-2-0" linking to www.govdata.de/dl-de/by-2-0, and a reference to the dataset (URI).

Introduction

• The European General Data Protection Regulation (GDPR) (EU) 2016/679) took effect on May 25, 2016 and has been deemed valid since May 25, 2018.
• GDPR protects natural persons' rights and freedoms regarding personal data processing.
• Articles 5, 12, 25 and 32 of the GDPR provide fundamental requirements for the security of processing personal data.
• The GDPR requires appropriate technical and organisational measures to adequately reduce risks to individuals' rights and freedoms.
• Data protection by design and by default (Art. 25 GDPR) requires controllers to address data protection early in processing planning.
• The GDPR ensures a process for regular testing, assessment and evaluation of technical and organisational measures.
• GDPR provides a consistency mechanism that integrates independent supervisory bodies through consultation.
• Article 5 GDPR drafts basic principles relating to the processing of personal data: Personal data shall be processed lawfully, fairly and in a transparent manner, adequate, relevant and limited to what is necessary for the purpose, on the basis of correct data, protected against loss, destruction or damage and providing for the integrity and confidentiality of such data. In addition, personal data may normally only be stored in a form which permits identification of the data subjects for as long as is necessary. It must be possible to demonstrate compliance with the principles (‘Accountability').
• The Standard Data Protection Model (SDM) is meant to transform GDPR's regulatory requirements into technical and organizational measures.
• The SDM records the legal requirements of the GDPR and assigns them to protection goals like Data Minimisation, Availability, Integrity, Confidentiality, Transparency, Unlinkability and Intervenability.
• Legal requirements of the GDPR on protection goals are transposed into detailed technical and organisational measures in the SDM's catalogue of reference measures.
• The SDM aids in turning abstract legal requirements into concrete technical and organisational measures.

A1 Purpose of the SDM

• The Standard Data Protection Model (SDM) supports the selection and evaluation of technical and organisational measures to ensure GDPR compliance and that personal data is secure
• Measures should be proportionate and appropriate to limit risks to data subjects.
• When processing, examine whether technical and organisational measures ensure data subjects' rights and the processing security (Chapter III GDPR).
• The SDM systematises measures based on protection goals to help select appropriate ones.
• It exclusively designs processing in compliance with data protection law, not creating requirements beyond it.
• Processing personal data requires a sufficient legal basis and ensures data processing security.
• Art. 5 GDPR processing principles and Art. 6 GDPR requirements for lawfulness of processing must apply.
• Before SDM application, validate the legal basis.

A2 Application scope of the Standard Data Protection Model

• The application of SDM involve planning, implementing, and operating activities where personal data is processed, along with validation and assessment.
• Processing activities should align with a well-defined, legitimate purpose (e.g., public sector enabling provisions) and business processes to achieve that purpose
• GDPR mandates selecting and implementing necessary and appropriate technical and organisational measures for processing personal data.
• Measures are part of data processing, including related data that may become a separate processing activity.

A3 Structure of the SDM

• The Standard Data Protection Model contains the following:
• Systematized data protection requirement as protection goals
• Systematically derived generic measures from those protection goals, supplemented by reference measures.
• Models processing activity with data components, system, services, and subprocesses.
• Systematizes risk identification to determine the protection requirements.
• Has procedure model for the continuous modelling, control, and testing of processing activities.

A4 Role of the Protection Goals of the SDM

• The SDM uses 'protection goals' to systematise data protection requirements, guaranteeing legally compliant processing with technical and organisational measures.
• The guarantee lies in reducing deviations from the legally compliant processing, preventing unauthorised processing and non-implementation of necessary operations.
• Protection goals bundle and structure the data protection requirements, operationalising them through linked, scalable measures.
• They are essential for the implementation of data protection and are:
• Data minimisation.
• Availability.
• Integrity.
• Confidentiality.
• Unlinkability.
• Transparency.
• Intervenability.
• SDM aligns with protection objectives for the information security successfully used in practice for years.
• The aim is securing data in public authorities and companies
• Data protection interprets protection goals from data subjects' perspectives, encompassing all data protection requirements for personal data processing.
• Therefore, the SDM considers these protection goals in their entirety, combining information security objectives with data protection requirements.
• In March 2010, The Conference of Data Protection Commissioners of the Federal Government and the Länder proposed a reform for technical and organisational data protection with key paper 'Ein modernes Datenschutzrecht für das 21. Jahrhundert'.
• European legislator adopted the SDM concept of the protection goals in GDPR.
• All requirements are derived from GDPR and can be structured by protection goals.
• SDM does not impose requirements beyond applicable data protection law
• Protection goals and their understanding will be evaluated and adjusted if the data protection law changes.
• The supervisory activities are based on GDPR.
• The SDM's concept promotes rights-oriented data protection and supports controllers and supervisory authorities.

Part B: Requirements of the GDPR

• European General Data Protection Regulation (GDPR) applies uniform rules throughout Europe.
• Entered into force May 25, 2016, and applicable in all EU Member States since May 25, 2018.
• While additional regulatory powers exist, GDPR holds precedence over national laws.
• Article 5 GDPR lays down core requirements, incorporating protection from Art. 8 of the Charter of Fundamental Rights of the European Union.
• GDPR compels controllers and processors to design operations and technology with a the fundamental protection of data subject rights.
• Controllers obligated to select, implement and check technical and organisational measures to reduce risks, ex. unauthorized access.
• Article 5 para 1 and 24 GDPR states, the Controller will be responsible for compliance with the processing principle and must be able to prove their compliance.
• The GDPR demands a data protection impact assessment (DPIA) in line with Art. 35 GDPR for processing operations that are likely to pose a high risk to the rights and freedoms of natural persons.
• The SDM intends to contribute to Article 5 of the GDPR processing principles and provide proof of implementation.
• The aim is to implement in practice the data protection requirements laid down in the GDPR.
• The SDM does not consider fundamental questions of the substantive lawfulness of the procession operation.

B1 Key data protection requirements of the GDPR

• The key data protection requirements have to be implemented for every processing of personal data.
• Consent management summarises the additional requirements to be met if the lawfulness of the processing is based on Art. 6.
• Implementing supervisory measures may require additional considerations.
• Art. 5 sets requirements, and provides for:
• Transparency for data subjects affected by the processing of personal data
• Purpose limitation for the processing of personal data
• Data minimisation in the processing of personal data
• Accuracy of personal data
• Storage limitation for personal data
• Integrity of personal data
• Confidentiality of personal data
• The controller must demonstrate compliance with paragraph 1.
• Accountability and verifiability. (Art. 5 para. 2, Art. 24 para. 1 GDPR)
• 12-23 GDPR are rights of data subjects.
• These requirements result from the rule to take into account the rights of the data subjects and:
• Support in exercising the rights of data subjects
• Identification and authentication of the person requesting information
• Right to rectification
• Right to erasure
• Restriction of data processing (formerly blocking, Art. 18 GDPR)
• Data portability
• Possibility to intervene in processes of automated decisions
• Freedom from error and discrimination in profiling
• Art. 25 and 32 GDPR differentiates Data Protection by Default, and the following are required:
• Availability of systems, services and data
• Resilience of the systems and services
• Restorability of data and data access
• Evaluability
• Controllers have a reporting / notification obligation towards authorities for any data breaches.
• This requires identifying and classifying data protection violations, notifying authorities and data subjects
• Resulting requirements are:
• Rectification and mitigation of data protection violations
• Adequate monitoring of the processing
• If processing has consent, must comply with Art. 7 and 8 GDPR.
• Consent management (Art. 4 No. 11., Art. 7 und 8 GDPR)
• In Article 58 GDPR, Supervisory authorities have powers to implement regulatory orders and follow orders by a supervisory authority (Art. 58GDPR)

B1.1 Transparency for data subjects

• Transparency is a fundamental principle in data protection law, detailed in GDPR regulations.
• It is detailed in the information obligations pursuant to Art. 12.
• Requires precise, transparent, comprehensible, and easily accessible information in the processing of data.
• Data subjects must be informed, without undue delay, no more than 1 month of the processing status and measures taken.

B1.2 Purpose limitation

• Personal data shall only be processed for the purpose for which it is collected; otherwise, authorisation to process cannot proceed.
• Business purposes and research purposes are the yardstick.
• Subsequent processing must be compatible with the original purpose (Art. 6 para. 4 GDPR).
• Data subjects must be informed to use their right of objection.

B1.3 Data minimisation

• Data Minimisation is linked to the principle of Purpose Limitation.
• Personal data must be adequate, relevant to the purpose, and limited to what is necessary for processing (Art. 5 para. 1 lit. c GDPR).
• Appropriateness: data must be relevant to the purpose of the processing, and has to be made with an evaluative decision on purpose of the data.
• Data is relevant if it contributes an amount to the achievement of a processing purpose.
• Only those data are limited to the necessary extent that are limited to what is necessary for the purpose of processing and without which the processing purpose cannot be achieved.
• Necessity is a general principle of European Union law.
• Only necessary data is required for Data Minimisation (Art. 5 para. 1 lit. b GDPR).
• Prerequisite under Art. 6/Para. 1 and Art. 9/Para. 2 of the GDPR.
• The principle must be taken into account throughout processing, also leading to data anonymization.
• Optimisation target is to minimize power of authority and knowledge to be used as orientation.
• Limit to the use of extent necessary may lead to requirements to anonymize at a certain future time point.
• Technical and organisational measures must make best data protection a priority when no/little personal data is processed.
• Restrict the number of data sets that functionality is applicable with data fields.
• Anonymization and pseudonymization which allow the identification of data subjects may be erased or transformed and their display suppress in data masks so that they are not made known to the persons involved in the processing, provided that this knowledge is unnecessary for the respective processing purpose.

B1.4 Accuracy

• Art. 5 para. 1 lit. d GDPR formulates the Accuracy requirement for personal data.
• Inaccuracies should be kept up to date in order to ensure regulation requirements Regulation requires steps to ensure personal data, with regard to processes erases or rectification quickly without delay.

B1.5 Storage Limitation

• Article 5 para. 1 lit. e GDPR defines that personal data may only be stored if it permits identification of the data subjects, as is necessary for the purposes.
• From this, we obtain necessity to measure pseudonymisation, anonymization or measure which erasures is derived.
• Exception is formulated for archival purposes for public interest/scientific/historical research purposes.
• Adopt the appropriate technical and organisational measures under regulation for protecting rights and freedoms of the data subject, particularly for the view enforcing of purpose limitation and confidentiality

B1.6 Integrity

• Integrity mentions that Art 5 para 1,f GDPR is principle for: Processing of personal data and, Art.32 para.1 Lit.b. GDP applied the systems
• Services as are aspects safeguarding security of data processing and assurance.
• Amongst other aspects, protection against unauthorised modifications/deletions. Personal data only be processed ensures protection against accidental loss or damage by appropriate technical and organisational measures.
• Any changes should be excluded or recognizable for rectification

B1.7 Confidentiality

• The obligation of confidentiality results from Art. 5 para. 1 lit. f GDPR.
• It results in systems, services, processors and the controller, (Art. 32 para. 1 lit. b GDPR).
• The obligation from follows controller instructions (Art. 28, 32 Para. 4 GDPR) the obligation is of confidentiality.
• Unauthorized persons aren't allowed data or devices with the way of processing (Art. 32 para. 1 lit. b GDPR, Recital 39 sentence 12).

B1.8 Accountability and Verifiability

• Art. 5 para. 2 GDPR requires proof of compliance to 5 para. 1 GDPR principles.
• Extensive accountability obligations are made by several points at GDPR.
• the controller is obliged pursuant to Art. 7 para. 1 GDPR to prove consent.
• In Article 30 GDPR, it requests information for the creation of processing activities.
• Controller has to report any form of personnel data with authorization (Art. 33 para. 5 GDPR).
• 58 of GDPR, supervisory authority needs to give the requirements for the fulfillment(s) of providing all information.
• Controller reports data breaches to the supervisor authories per request for tasks.

B1.9 Identification and Authentication

• Pursuant to Art. 12 para. 6 GDPR, the controller may request information from a natural person who wishes to know the data subjects' rights Pursuant to Art. 15 to 21 GDPR.
• Authentication the rights of data subjects

B1.10 Support in the exercise of data subjects' rights

• According for the request of the controller to exercise rights according to 15-22 And will examine Measures to implement Data for rights

B1.11 Rectification of data

• Distinctions on legal terms that the accuracy the legal distinction must be the principle Art. 1 litD GDPR, this requirement has a right of immediate correct about the concerns in Article 16

B1.12 Erasure of data

• Have the rights of Erasure their data article 17 has obligation to erase data
• GDPR controller must make sure people no longer have proccesd And will erase as quickly as possible.

B1.13 Restriction of data processing

• Provides instructions for the Supplement and erasure ,the marking of stored personal information that 18 article 2 is consent in article 38 If data is limited and supervisors authorities will order to the restriction

B1.14 Data portability

• Subject has the right to obtain such format or in a structured article 20 ,1 GDPR
• The structure is way that structured by how it applies Applications can easily and quickly understand data in format must be a common.

The GDPR regulates a number of additional things in addition to the list above

• B1.15 - Possibility to intervene in processes of automated decisions Art. 22 GDPR regulates an additional right of data subjects in relation to automated processing operations
• B1.16 Freedom from error and discrimination in profiling Art, Specifications the the requirements for processing (2LITB)

Part C: Systematisation of the Requirements of the GDPR with the use of Protection Goals

• The legal standards of the GDPR cannot be easily implemented.
• Lawyers and computer scientists ensure technical and organisational measures to support legal requirements.
• They are supported in achieving by protection goals and assigned to with the individual Protection Goals for the importance
• Can transform the requirements into needed technical information via protection goals.
• To make the processing activities all compliant
• Reduce the rights of people
• Legal requirements with the help of protections goals for difference
• Concretization and systemization

C1 Protection Goals of the SDM

• SDM that can be used to for help the requirements of the GDPR
• Goals to assist data are chapter C2

C1.1 Data Minimisation

• Requirements under the law for the limit is for protection is about the data To what extends influence about the scope can limit the risk of concept
• Is needed to achieve of processing
• Limite minimize process
• Accessibility and ensures permission identifications
• Design the information
• Core the process system use
• Configure adapted

C1.2 Availability

• Access the data information and properly in the process
• Parties need to be processed with the system
• Concrete retrieval on system
• Ability with humans
• Rapid to be able to restore in the event of physical of technitions.

C1.3 Integrity

• For the requirements continuous be supply with the process
• Correctness of data
• Integrity refers
• Integrity of hand
• Integrity be relate
• Appropriate
• Addressing correct data

C1.4 Confidentiality

• Not to have that anyone is not authorized to have the data such as 8.7
• Not third people side
• Process the proper with the data subjects
• Resilience
• Remedy Mitigations

C1.5 Unlinkability

• Implement of protect goal (B1-2 Moreful data base greed more used is original basis
• Organisation or system

C1.6 Transparency

• That proper need the requirment that the data or system operation 1.8 competent
• A lot with the data processes who with legal responsibility information

C1.7 Intervenability

• The data subjects' rights to use: B1.11possibility, B1.2 erasure 1.13 restriction
• 1.14 data 1.15 objection to obtain right intervention and automated indiviudal decision

C2 Structuring the legal requirements with the help of the

Protection Goals

• SDM In the following on data list by B2 and 8.1.711 to 12 implement a right

Part D: Practical Implementation

• For the components are considered
• Reference measure are specified to protect
• Individual measure is to ensure that achieve certain goals
• Listed in general and organize that supervision authorities for many year

D1.1 Availability

• Measures are guarantee with typical
• Tested about the concept
• Protection agent
• Documentat
• Redundancy
• Repair backup process
• Preparing with the contingent system is restore
• Representation arrangement

D1.2 Integrity

• To safeguarding the integrity and modification permissions , Use of check sums seals of use Assigned documents Incorrect documents Hard to have IT system and processes that

D1.3 Confidentiality

• A concept with basic access
• Secure authentification to the procedure
• Qualification of personal responsibility with authority and formal
• Specification the authority

D1.4 Unlinkability

• Restrictions processes are applied with the limitations program Deactivation / Omitting interfaces Regulatory quality to with safety Compliance Organization of departmental boundaries Roles from concepts identify for secure Controlled by user with application Data 1.2 with the purpose

D1.5 Transparency

• Documentation to all activities Article 33
• Operations of all activities
• Assessment with proper data

D1.6 Intervenability

• Measure be different
• Create the necessary data feelds from 11 ability with management system with by D3
• Problem documentation
• Individual without the effective ability with the O systems.

D1.7 Data Minimisation

• Attribute on recording
• Operations and functions
• Possible to gain knowledge
• Setting limits for objective Processing data be known data Implementation with processes by Data's Definition is for erasuring with monitoring

D1.8 Protection goals as a Design Strategy

• Requirements have to be taken into account while model activity The principle with by default needs to be taken

D2 Processing Activities

• 30 process activity a concept with data
• Not an automated means of personal date such has 12
• Alining destruction

D2.1 The subdivision of a processing activity into operations or

into the phases of the life cycle of the data

• For to examine the processing you need break it down the processing operations sub 4 is what the GDPR Start with collection of data the deletion of what Compliance the all processing Assess each compliance

D2.2 Levels of a Processing Activity

• Not be the specific with to understand activity personal what.

D2.3 Purpose

• Claim it needs process determine process has legitiate
• Purpose has determine

D2.4 Components of processing or processing activity

• Has processing three components
• System with servers. micro infrastructure:
• Process processes data organ data
• Individual

D3 Risks and Need for Protection

_ GDPR links requirements for technical and organisational measures to the risk, and links the freedom of data subjects based on the personal data being processed . Data is the ability the interference rights that result from such damage that to it It is the job controller and to identify

D3.1 Risks for Data Subjects

The starting point of Risk is the the Processing It be formulated to five code must what to be observed And consolidates the principle protection goals.

Description

Explore machine-readable data characteristics as defined, and its relationship with interoperability according to the European Data Protection Board. Understand data subjects' rights concerning automated decisions under Article 22 of the GDPR, including conditions for meaningful intervention. Discover measures for fair and transparent profiling, emphasizing error minimization.