Data Protection - Fiche de Révision PDF
Document Details
Uploaded by Deleted User
Tags
Summary
This document is a revision guide on data protection, focusing on the General Data Protection Regulation (GDPR). It covers the different players involved in GDPR, their roles and responsibilities, legal bases for data processing, and data subject rights. The guide also explains the difference between personal data and sensitive personal data.
Full Transcript
Data protection - FICHE DE REVISION 1. WHO ARE THE DIFFERENT PLAYERS INVOLVED IN THE GDPR? WHAT ARE THEIR ROLES , RESPONSIBILITIES , AND LIABILITIES? The General Data Protection Regulation involves several key players, each with distinct roles and responsibilities which are: data subject...
Data protection - FICHE DE REVISION 1. WHO ARE THE DIFFERENT PLAYERS INVOLVED IN THE GDPR? WHAT ARE THEIR ROLES , RESPONSIBILITIES , AND LIABILITIES? The General Data Protection Regulation involves several key players, each with distinct roles and responsibilities which are: data subjects, data controllers and data processors. Data subjects must be identifying as a natural person who is alive. The individual must be identifiable from information that directly or indirectly. The processing of their data should be based on explicit consent. They have several rights, and these rights empower individuals to have control over their personal data and ensure that their privacy is respected. The rights are informed, access, rectification, object, portability, erasure (to be forgotten), right to restrict processing and right related to automated decision making. Data controllers can be entities, organizations or an individual that determines the purposes and means of processing personal data. Their responsibilities are extensive: obtain valid consent from individuals, maintaining secure records of consent preferences ensuring data accuracy, responding to correction or deletion requests, and implementing appropriate technical and organizational measures to protect data. They are held accountable for GDPR compliance and can face significant fines and violations. And Data processors handle personal data under the authority of controllers. Their main responsibilities include processing data according to the controller’s instructions, implementing appropriate protection measures, notifying controllers of data breaches, maintaining records of processing activities, and complying with data deletion requirements. 2. WHO NEEDS TO FOLLOW THE GDPR? IS THERE ANY WAY YOU CAN BE EXEMPT FROM THE GDPR? The General Data Protection Regulation applies to any entity that collects, processes, or stores personal data of residents within the European Union or in the European Economic Area. And any business regardless of where is operates that deal with the EU resident’s personal data whether it’s basic contact information or more sensitive data falls under the regulation. However, there are certain exemptions to the full application of the GDPR. First, the GDPR does not apply to data processing conducted by individuals for purely personal or household activities. For national security exception, deceased individuals and some international transfer with adequate safeguards. 3. WHAT IS “PERSONAL DATA” AND “ SENSITIVE PERSONAL DATA ”? WHAT ARE THE DIFFERENCES BETWEEN THE TWO? According to the General Data Protection Regulation, personal data refers to any information that can identify an individual, either directly or indirectly. This includes basic details like name, address, phone number for example. And sensitive data, includes information that is more private and requires extra protection because is a potential for greater harm if exposed. These include details about: health information, financial, biometric data, genetic data, racial or ethnic origin, political opinion and beliefs. The key difference between the twho is the nature and the level of protection required. The GDPR imposes stricter rules for the processing sensitive personal data, often requiring explicit consent or specific legal justification. 4. WHAT ARE THE 7 PRINCIPLES OF THE GDPR? EXPLAIN EACH ONE. They are the foundation of data protection rules in the EU and compliance efforts for organizations worldwide. There are the seven principles of GDPR: 1. Lawfulness, fairness and transparency: Data must be processed legally, with explicit consent and be informed about how their data is being used, typically through privacy notices. 2. Purpose limitation: Data should be collected for specified, explicit, and legitimate purposes and not for another purpose. 3. Data minimization: only the data that is necessary for the intended purposes should be collected and processed. 4. Accuracy: personal data must be accurate and kept up to data. Inaccurate data should be corrected or deleted without delay. 5. Storage limitation: data should be kept in a form that permits identification of individuals for no longer than is necessary for the purposes for which the data is processed. 6. Integrity and confidentiality: data must be protected against unauthorized or unlawful processing and security violation. 7. Accountability: data controllers are responsible for and must be able to demonstrate compliance with the GDPR. 5. WHAT ARE THE LEGAL BASIS FOR PROCESSING STANDARD PERSONAL DATA ? EXPLAIN EACH ONE. (N OT SENSITIVE PERSONAL DATA ) the General Data Protection Rules shows legals bases for processing standard personal data. These legal bases are fundamental to GDPR compliance and guide how organizations can handle personal data. Which are : consent, contract execution, legal obligation, vital interests, public task or general interests and legitimate interests. 1. Consent involves obtaining clear, affirmative permission from data subjects 2. Contract applies when processing is necessary to fullfill contractual obligation or take pre-contractual steps at the individual request. 3. Legal obligations covers processing required to comply with laws or regulations. 4. Vital interests allow processing to protect someone’s life for example in can of an emergency medical care 5. Public task applies to processing necessary for official functions or tasks in the public interest 6. Legitimate interests can be used when is necessary for the legitimate interests of the organization or a third party unless overridden by data subject’s rights. And is always to runs a strict legitimate assessment (LIA). 6. WHAT ARE THE DATA SUBJECT RIGHTS ? EXPLAIN EACH ONE. The General Data Protection Regulation several fundamental data subjects rights that empower individuals and give them control over their personal data. These rights are : - Right to be informed: data subjects have to know how their personal data are being collected, processed and used. And organizations must be transparent about their data processing activities for example the privacy notice. - Right to access: individuals can request access to their personal data. They can use a DSAR forms. - Right to rectification: data subjects can correct or completed inaccurate personal data without indue delay. - Right to erasure: data subjects can request organizations to delete their data as a right to be forgotten. - Right to restict processing: Data subjects request thr restriction of processing of their personal data in specific situations. - Right to data portability: individuals can obtain their personal data if they requested in structured, commonly used, and machine-readable. And then, transfer it to another data controller if they choose. - Right to object: data subjects can object to the processing of their personal data in circumstances, including for direct marketing purposes. - Right to related to automated decision making: right not to be subject to automated decision without human intervention. 7. WHAT IS A DPO? WHEN DO YOU NEED ONE AND WHAT ARE ITS RESPONSIBILITIES ? Data protection officer is a main role in organizations that process personal data, ensuring compliance with data protection regulations like the GDPR. This position becomes mandatory for public authorities, organizations conducting large-scale systemic monitoring of individuals, or those processing significant amounts of sensitive data. The DPO’s responsibilities are multifaced including advising on data protection obligations, monitoring compliance, conducting impact assessments, and serving as the primary contact for data subjects and supervisory authorities. For instance, in a hospital setting, a DPO would oversee the protection of patient records, conduct regular audits of data processing activities, and manage any data breach incidents. By bridging the gap between regulatory requirements and organizational practices, DPOs play a crucial role in fostering a culture of data protection, helping organizations navigate the complex landscape of privacy regulation while balancing business needs with individual rights. 8. WHAT ARE THE DIFFERENT KINDS OF FORMS THAT ARE NECESSARY TO COMPLY WITH THE GDPR? The General Data Protection Regulation requires organizations to maintain various forms and documents to demonstrate compliance and ensure proper handling of personal data. These forms serve as tangible evidence of an organization's commitment to data protection principles and provide a framework for implementing GDPR requirements in practice. Key forms include records of processing activities which is a mandatory document for companies with more than 250 employees, detailing all data processing activities. The DSAR form, allow data subjects to formally request access to their personal data. Organizations must provide this form and have a process in place to respond to such requests within the legal timeframe, typically one month. Otherwise, it can result in regulatory fines, legal action and reputational damage for the organization. The are also, the DPIA that required to assess risk related to data processing that may affect individuals’ rights. LIA and Privacy policy informs data subjects of their rights and how their data is being used. 9. WHAT ARE THE FINES UNDER THE GDPR? HOW ARE THEY CALCULATED AND WHO ISSUES THEM ? The General Data Protection Regulation fining system serves as a powerful enforcement mechanism designed to ensure organizations prioritize data protection, with penalties severe enough to impact even the largest global corporations. This system not only punishes non-compliance but also act as a strong deterrent, encouraging proactive measures to safeguard personal data. The regulation establishes a two-tiered structure for administrative fines. The higher their allows for fines of up to 20 € M or 4% of global annual turnover, whichever is greater, for severe infringement. For example, a consent or a multinational corporation that transfers customer data outside the EU without proper safeguards could face these maximum fines. The lower tier, with fines up 10 € M or 2% of turnover, addresses less severe breaches, such as failing to report a data breach within the required 72 hours window. National data protection authorities like ICO (UK) or CNIL (FR), are responsible for issuing these fines. They consider various factors when calculating penalties, including the nature and gravity of the infringement and any actions take to mitigate damage. This system ensures that fines are not only punitive but also proportionate and effective in promoting compliance across diverse organizations. 10. WHAT ARE THE RULES FOR INTERNATIONAL DATA TRANSFER UNDER THE GDPR Any transfer of personal data to a third country or international organization must comply with the conditions outlined in the GDPR. The fundamental principle is that the level of protection for personal data should not be undermined. The European Commission can decide whether a third country offers an adequate level of data protection. Some countries are deemed adequate: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of man, Japan, Jersey, New Zealand, Republic of Korean, Switzerland UK, US under the new EU-US data privacy framework and Urugay. Thus, personal data can be transferred without additional safeguards. If a country does not have an adequacy decision, data can still be transferred if appropriate safeguards are in place, such as: - Binding Corporate Rules (BCRs) - Standard data protection clauses (SDPC) adopted by the Commission - An approved code of conduct or certificate mechanism In specific situations, transfers may occur even without adequate protection or safeguards such as: - Explicit consent from the data subject - Transfers necessary for contractual obligations or legal claims - Protection of vital interests of the data subject In all case data controllers remain liable for compliance with GDPR, including during international transfers, ensuring that all processing activities adheres to the regulation’s requirements.