H-Farm 2024 Fundamentals of IT Law PDF
Document Details
Uploaded by CaptivatingSanity548
H-Farm
2024
H-Farm
Giuliano Zanchi
Tags
Related
- Ley orgánica 3/2018, de 5 de diciembre, de protección de datos personales y garantía de los derechos digitales PDF
- Protection des Données à Caractère Personnel PDF
- Data Protection PDF
- Ley Orgánica 3/2018, de Protección de Datos Personales y Garantía de los Derechos Digitales (PDF)
- Thailand Data Protection Guidelines 3.0 PDF
- Cyber Law Fundamentals PDF
Summary
This document from H-Farm 2024 covers fundamentals of IT law, with a focus on data protection, examples of data breaches, and the role of the Data Protection Officer (DPO). Includes practical examples like a hospital employee copying patient details.
Full Transcript
Giuliano Zanchi H-Farm 2024 FUNDAMENTALS OF IT LAW Companies are encouraged to implement technical and organizational measures, at the earliest stages of the design of the processing operations, in such a way that safeguards privacy and data protection principles rig...
Giuliano Zanchi H-Farm 2024 FUNDAMENTALS OF IT LAW Companies are encouraged to implement technical and organizational measures, at the earliest stages of the design of the processing operations, in such a way that safeguards privacy and data protection principles right from the start (data protection by design). By default, companies should ensure that personal data is processed with the highest privacy protection (for example only the data necessary should be processed, short storage period, limited accessibility) so that by default personal data isn’t made accessible to an indefinite number of persons (data protection by default). Giuliano Zanchi H-Farm 2024 FUNDAMENTALS OF IT LAW The use of pseudonymisation is a typical example of privacy by design, since it creates the conditions to protect the confidentiality of the data by using a method which soon after the data are collected in whatever ways. An example of data protection by default recurs when a social media platform sets users’ profile settings in the most privacy-friendly setting by limiting from the start the accessibility of the users’ profile so that it isn’t accessible by default to an indefinite number of people. Giuliano Zanchi H-Farm 2024 FUNDAMENTALS OF IT LAW A data breach occurs when the data for which the company is responsible suffers a security incident resulting in a breach of confidentiality, availability or integrity. If that occurs, and it is likely that the breach poses a risk to an individual’s rights and freedoms, the company has to notify the supervisory authority without undue delay, and at the latest within 72 hours after having become aware of the breach. If the company is a data processor it must notify every data breach to the data controller. If the data breach poses a high risk to those individuals affected then they should all also be informed, unless there are effective technical and organizational protection measures that have been put in place, or other measures that ensure that the risk is no longer likely to materialize. Giuliano Zanchi H-Farm 2024 FUNDAMENTALS OF IT LAW For example, a hospital employee decides to copy patients’ details and publishes them online. The hospital finds it out a few days later. As soon as the hospital finds out, it has hours to inform the supervisory authority and, since the personal details contain sensitive information such as whether a patient has cancer, is pregnant, etc., it has to inform the patients as well. In that case, there would be doubts about whether the hospital has implemented appropriate technical and organizational protection measures. If it had indeed implemented appropriate protection measures (for example encrypting the data), a material risk would be unlikely and it could be exempt from notifying the patients. Giuliano Zanchi H-Farm 2024 FUNDAMENTALS OF IT LAW Data Protection Officer (DPO). A company needs to appoint a DPO, whether it's a controller or a processor, if its core activities involve processing of sensitive data on a large scale or involve large scale, regular and systematic monitoring of individuals (for instance, a hospital processing large sets of sensitive data, a security company responsible for monitoring shopping centers and public spaces). In that respect, monitoring the behavior of individuals includes all forms of tracking and profiling on the internet, including for the purposes of behavioral advertising. Public administrations always have an obligation to appoint a DPO, except for courts acting in their judicial capacity. The DPO may be a staff member of the company or may be contracted externally on the basis of a service contact (more frequent solution). Giuliano Zanchi H-Farm 2024 FUNDAMENTALS OF IT LAW The DPO assists the controller or the processor in all issues relating to the protection of personal data. In particular, the DPO must: inform and advise the controller or processor, as well as their employees, of their obligations under data protection law; monitor compliance of the company with all legislation in relation to data protection, including in audits, awareness- raising activities as well as training of staff involved in processing operations; act as a contact point for requests from individuals regarding the processing of their personal data and the exercise of their rights. The DPO must not receive any instructions from the controller or processor for the exercise of their tasks and it reports directly to the highest level of management of the company. Giuliano Zanchi H-Farm 2024 FUNDAMENTALS OF IT LAW Sanctions. GDPR provides the Data Protection Authorities (DPA) with different options in case of non-compliance with the data protection rules: likely infringement – a warning may be issued; Bans and fines infringement: the possibilities include a reprimand, a temporary or definitive ban on processing and a fine of up to €20 million or 4% of the business’s total annual worldwide turnover. It is worth noting that in the case of an infringement, the DPA may impose a monetary fine instead of, or in addition to, the reprimand and/or ban on processing. The authority must ensure that fines imposed in each individual case are effective, proportionate and dissuasive. It will take into account a number of factors such as the nature, gravity and duration of the infringement, its intentional or negligent character, any action taken to mitigate the damage suffered by individuals, the degree of cooperation of the organization, etc. Giuliano Zanchi H-Farm 2024 FUNDAMENTALS OF IT LAW A company sells online household material. Through its website, consumers can buy kitchen appliances, tables, chairs and other domestic goods by entering their bank details. The website suffered a cyber-attack leading to personal details being rendered available to the attacker. In this case, the lack of appropriate technical measures by the company seems to have been the cause of the data loss. In this instance, various factors will be considered by the supervisory authority before deciding what corrective tool to use. Factors such as: how serious was the deficiency in the IT system? How long had the IT infrastructure been exposed to such a risk? Were tests carried out in the past to prevent such an attack? How many customers had their data stolen/disclosed? What type of personal data was affected – did it include sensitive data? All these and other considerations will be taken into account by the supervisory authority. Giuliano Zanchi H-Farm 2024 FUNDAMENTALS OF IT LAW eContracts The association between contracts and information technology con be differently shaped: -the object of a contract can be standard software (license contracts) -the contract can provide for a tailor made software (service contract + license contract) -the object of a contract can be an IT device or in general a hardware (sale contract + license contract) -the contract can provide for software/hardware assistance (service contract) -the contract can be concluded in a digital context (digital contract) Giuliano Zanchi H-Farm 2024 FUNDAMENTALS OF IT LAW We assess and discuss primarily digital contracts or pure IT contracts: contracts entirely negotiated and concluded through digital resources, contracts concluded online agreements made online between sellers and buyers. they define the regulation of selling online E-commerce (direct or indirect) is the name usually given to the general use from business and professional subjects to sell and provide online goods and services. It is made of all the legal and commercial issues connected to the use of online digital technologies in contracts. These kinds of contracts encompass different legal issues depending on the fact that the digital contract is concluded in between business/professional actors (B2B) or between a business/professional actor and a consumer (B2C). Question: C2C? Giuliano Zanchi H-Farm 2024 FUNDAMENTALS OF IT LAW Let us make practical example of the issues emerging in a typical online purchase. Many actors are involved in the process, even in a simplified scheme: -owner of the web site (domain name) -owner of the server where the web site is hosted -manufacturer/supplier of the good -provider of payment services -carrier All these subjects are connected in a network of contracts for the specific role played in the network. Many legal systems are usually involved. In a legal perspective, many legal issues emerge during the transaction/delivery/after-sale process and a basic question arises: is law as such capable to provide for solutions to the legal issues involved?
