Personal Data Protection and Management PDF

Personal Data Protection and Management Course Professor : Course Coordinator: Aline YVON Clare Keonha Shin [email protected] [email protected] GDPR Data Subject’s Rights Chapter III (Article 12-23) and Article 7 Data subjects are given 7 distinct rights over their data under the GDPR What are those rights ? GDPR Data Subject’s Rights Right to rectification Right of access Right to data portability Right to object Right to withdraw consent Right to erasure and to be forgotten Right to restriction of processing Right of Access (Article 15) The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information… purpose, categories, etc. Right to The data subject shall have the right to obtain from the controller without undue delay the rectification Rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, (Article 16) the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement. Right to Erasure (Article 17) The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay *Right to be forgotten The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies: (a) the accuracy of the personal data is contested by the data Right to subject, for a period enabling the controller to verify the accuracy of the personal data; Restriction of (b) the processing is unlawful and the data subject opposes the Processing erasure of the personal data and requests the restriction of their use instead; (Article 18) (c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; (d) the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject. Right to Data The data subject shall have the right to receive the personal data Portability concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the (Article 20) right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided 1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her… 2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Right to Object … 5. In the context of the use of information society services, and (Article 21) notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications. 6. Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest. Right to Withdraw The data subject shall have the right to withdraw his or her consent at any time. Consent (Article 7(3)) GDPR Article 6(1) How to Handle Personal Data The processing of the data is lawful and possible only if there is a legal basis, which should be one of the following one : A processing of data is lawful only if : the data subject has given consent to the processing of his or her personal data for one or more specific purposes; processing is processing is necessary in for the performance of a processing is necessary processing is necessary necessary for order to protect the vital contract to which the for the performance of a for the purposes of the compliance with a legal interests of the data data subject is party or in task carried out in the legitimate interests obligation to which the subject or of another order to take steps prior controller is subject public interest or in the pursued by the controller natural person to entering into a exercise of official contract; authority vested in the controller 11 GDPR Article 6(1) How to Handle Personal Data Processing shall be lawful only if and to the extent that at least one of the following applies: a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; c) processing is necessary for compliance with a legal obligation to which the controller is subject; d) processing is necessary in order to protect the vital interests of the data subject or of another natural person; e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks. Conditions for Article 7 1. Where processing is based on consent, the Consent controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. 2. If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. 3. The data subject shall have the right to withdraw his or her consent at any time. What is Consent under GDPR? (Article 4) Freely given - the Specific - the person person must not be must be asked to Informed - the person pressured into giving consent to individual must be told what consent or suffer any types of data they're consenting to. detriment if they refuse. processing. Clear affirmative If you're missing any Unambiguous - action - the person one of these five language must be clear must expressly consent elements, you don't and simple. by doing or saying have consent under the something. GDPR. Express Consent You ask for someone's consent, they understand the question and the implications, and they make a genuine choice. – Filing a form – Ticking a box on a website – Phone/ face-to-face conversation https://www.montclair.edu/president/university-counsel/gdpr-consent-form- template/ Principles about cookies Cookies are tracking files which are submitted and/or read when you visit a website, read an email, install or use software or a mobile application, etc. TECHNICAL COOKIES TRACKING COOKIES Exclusively installed to facilitate electronic communication and absolutely necessary for Advertising the provision of the service on the Internet Tracking of user behaviour Social network Audience measurement such as Certain audience measurement cookies, Google Analytics strictly necessary for the operation of the site No consent is necesseray Consent is mandatory Principles about cookies : CNIL recommandation Maintaining two levels of information: Step 1: Cookies banner Step 2: Cookie manager Evolution of consent gathering practices:  "Accept all/refuse all" and/or consent by purpose/type of cookie,  no choice = no consent (the user can close the window and continue freely on the site)  consent can be withdrawn just as easily (a pop-up window remains on the site)  consent is valid for a maximum of 6 months. https://www.southbankcentre.co.uk Consent https://www.healthline.com Through https://www.edq.com/cookie-policy/ Cookies? https://edition.cnn.com Pre-ticked boxes are NOT allowed under the GDPR, but are allowed in some other countries outside the EU. Consent Through Cookies? Consent Through Cookies? Consent Through Cookies? Consent of Minors To process the personal data of a child based on consent, parental authorization is required. The threshold ages vary between 13 and 16 amongst different member countries To be sure, It is necessary to check the national laws. GDPR Cases on Children’s Data Swedish supervisory authority fined a Swedish school €18,630 for its trial in using facial recognition to monitor student’s attendance in August 2019. – 22 students, 3 weeks – Consent was obtained from parents, but was not possible to refuse – Data was stored in computer hard drive locked in cabinet – School did not carry out DPIA Breach of Article 5 – purpose limitation https://edpb.europa.eu/news/national-news/2019/facial-recognition-school-renders- swedens-first-gdpr-fine_sv Legitimate interest (example) A bank gives a loan to a client. After some time the client stop making payments to the bank. The bank tries but cannot locate the client, she has moved and did not inform the bank the new address. The bank hires a debt collection agency to find the client and seek repayment of the debt. To this end, the bank discloses to the agency the client’s personal data. The client has not consented to this disclosure, however it’s lawful as the bank pursues a legitimate interest, to recover the debt. However, also due to the GDPR, the bank can only disclose client’s personal data that is accurate, up-to-date and no more than it is required for the agency to recover the debt. Legitimate interest must always be proportional Why do you want Purpose test to process the data? Legitimate Interests How will this Assessment Form processing help Necessity test you achieve your purpose? Balancing test DPO – Data Protection Officer Article 37 -39 Any data controller or processor who requires regular and systematic monitoring of data subjects on a large scale needs a DPO. – Regular = ongoing for a particular period, reoccurring at fixed times, constantly or periodically taking place. – Systematic = occurring according to a system, pre-arranged, organized, carried out as part of strategy. – Large scale = number of data subjects NOT company size Public authority – Publicly funded museums, state schools, universities EU member state requires it DPO – Data Protection Officer Employee or contracted Has a strong understanding of the organization itself DPO cannot be a temporary position – Minimum tenure = two years. – Renewed = max. five terms (10 years total) Must be an independent position – Report to highest management level – Can't be swayed by business interest (no conflicts of interest) – Can request support as needed to ensure fulfillment of their duties – DPO is not allowed to be the controller (cannot determine the means or purpose of processing personal data. Head of marketing = not allowed) DPO cannot be dismissed unless they are not fulfilling their duties, and only with consent of the governing regulatory authority DPO Tasks (Article 39) Inform data subjects about their rights and raise awareness of the regulation. Advise their institution about the application of the GDPR rules. Conduct prior checks of risks and have a list of operations that the organization will undertake. Aid the institution be accountable to the governing agency. Answer any questions and handle complaints related to the processing of personal data. If there is an investigation, co-operate between their organization and the governing agency. DPO’s Administrative Responsibilities Oversee Privacy policies/Privacy notices/Cookie policies Maintain all record keeping – Standard record keeping if +250 employees – DPIA – LIA The GDPR does not use this terminology, however this obligation derives from reading Articles 12, 13 and 14 A privacy note is a document addressed to the DS that explains how their PD will What is a be processed as well as the DSR and other mandatory information Privacy Notice? Note that a privacy notice (public, addressing DS) and a privacy policy are not necessarily the same (internal, addressing employees and other persons involved in processing PD) Privacy Policy and Privacy Notices How to draft a privacy policy or notice? Article 12 Provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing… Privacy Policy Examples https://www.edq.com/privacy-policy-free-trial/ IOL 23 and Me Privacy Policies of 150 Websites (NY Times) Professional Career College High School Middle School Privacy Policy Examples https://www.edq.com/privacy-policy-free-trial/ https://www.ieseg.fr/en/privacy- policy/#:~:text=Data%20subjects%20have%20th e%20right,the%20processing%20regarding%20t heir%20data. 23 and Me “We will share your information with law enforcement agencies, public authorities or other organizations if legally required to do so, or if such use is reasonably necessary to comply with legal obligation, process or request.” “we will share your information (…) based on our legitimate business interests” When you download, install, and use TikTok, you automatically agree to their privacy policy. This policy states that TikTok is allowed to collect all kinds of information about its users without giving them a chance to opt-out. TikTok could theoretically record conversations and sounds using your microphone, even when you aren’t filming a TikTok video. Record Keeping Data controllers must keep a record of all processing activities: Obligations – Name and contact info of (Article 30) controller, joint controller, representative, DPO – Purpose of the processing – Description of the catagories of the data subjects/personal data – Categories of recipients of the personal data, including international organizations/third countries – Transfers of personal data to international organizations/thir d countries – Time of retention – General description of technical and organizational security measures Data processors must keep a record of all processing activities: Record Keeping – Name and contact info of processor, representative, DPO Obligations – – Catagories of processing carried out on behalf of each controller Transfers of personal data to international organizations/third (Article 30) countries – General description of technical and organizational security measures Record Keeping Requirements and Exceptions Record Keeping Example Full Excel sheet on IOL PIA – Privacy Impact Assessment DPIA – Data Privacy Impact Assessment Article 35 Mandatory if you believe that processing certain personal data will involve a high risk to the rights and freedoms of the data subjects Look at nature, scope, context, purpose of processing. Are you using new tech like AI? – Systemic and extensive evaluations based on automated processing – Processing large scale special-category data/criminal conviction data – Systematic monitoring of public areas - CCTV Identify any risks that may be present when processing that data and how to mitigate How to determine when a DPIA is necessary ? 9 criterias according to the G29 (now the European Data Protection Committee (EDPS)) has drawn up a list of 9 criteria.When 2 of these 9 criteria are met, an impact assessment must be carried out. The criteria are the following: 1) Evaluation or scoring, including profiling and prediction activities, 2) Automated decision making with legal or similar significant effect, 3) Systematic surveillance, 4) The collection of sensitive data 5) The collection of personal data on a large scale 6) The cross-referencing or combination of data 7) The processing of data relating to vulnerable persons 8) Innovative use or application of new technological or organizational solutions 9) Processing operations that prevent data subjects from exercising a right or benefiting from a service DPIA – Harms Identify any harm or damage your processing may cause – physical, emotional, or material. – Inability to exercise rights – Loss of control over use of personal data – Discrimination – Identify theft/fraud – Financial loss – Reputation damage – Physical harm – Loss of confidentiality – Reidentification of pseudonymized data – Significant social/economic damage DPIA – Mitigations Deciding not to collect certain Taking additional security Limiting scope of processing Reducing retention time data measures Training staff to aniticipate Anonomizing/pseudonymizing Maing appropriate changes to Data sharing agreements and mitigate risks data Privacy Notices Implement new systems to Offer opt-out help data subjects excersice their rights DPIA Exceptions LEGAL OBLIGATION PUBLIC INTERST NECESSITY NECESSITY DPIA and the SA You must consult your SA if after conduction the DPIA, you learn that the processing still results in high risk to the rights and freedoms of the data subject even after mitigating the risks SA must provide written advice in 8 weeks after receiving consultation request – Can be extended 6 weeks Exercise – Is a DPIA necessary ? PROCESSING MEASURES ANSWER Management of the time of Badge in order to enter on the employees premises Control over the access to the Biometric collect of the fingerprint premises in order to access the premises Cybersurveillance regarding all the Management of data breach emails of the employees (Data Loss Prevention) Black list of all the potential Safety of a stadium dangerous spectators such as hooligans Exercise – Is a DPIA necessary ? PROCESSING MEASURES ANSWER Management of the time of Badge in order to enter on the NO employees premises Control over the access to the Biometric collect of the fingerprint YES premises in order to access the premises Cybersurveillance regarding all the Management of data breach emails of the employees (Data YES Loss Prevention) Black list of all the potential Safety of a stadium dangerous spectators such as YES hooligans DPIA Template https://www.cnil.fr/en/PIA-privacy-impact-assessment-en https://app.dporganizer.com/for-controllers/dpia Exercise Install PIA tool : https://www.cnil.fr/fr/outil-pia-telechargez-et-installez-le-logiciel-de-la-cnil  Filling out a DPIA by using the tool Group Project (40%) Read the group project prompt (available under the 'General' tab) – Respond to the letter you have received – Attach the proper forms E-mail the assignment to your professor – Deadline = 4th of March 2025 at 11.59 pm

Personal Data Protection and Management PDF

Document Details

Tags

Related

Summary

Full Transcript