Fiche de révision - data protection.pdf

Full Transcript

Data protection - FICHE DE REVISION
1. WHO ARE THE DIFFERENT PLAYERS INVOLVED IN THE GDPR? WHAT ARE THEIR ROLES ,
RESPONSIBILITIES , AND LIABILITIES?

The General Data Protection Regulation involves several key players, each with distinct
roles and responsibilities which are: data subjects, data controllers and data
processors.

Data subjects must be identifying as a natural person who is alive. The
individual must be identifiable from information that directly or indirectly. The
processing of their data should be based on explicit consent. They have several rights,
and these rights empower individuals to have control over their personal data and
ensure that their privacy is respected. The rights are informed, access, rectification,
object, portability, erasure (to be forgotten), right to restrict processing and right related
to automated decision making.

Data controllers can be entities, organizations or an individual that determines the
purposes and means of processing personal data. Their responsibilities are extensive:
obtain valid consent from individuals, maintaining secure records of consent
preferences ensuring data accuracy, responding to correction or deletion requests, and
implementing appropriate technical and organizational measures to protect data. They
are held accountable for GDPR compliance and can face significant fines and
violations.

And Data processors handle personal data under the authority of controllers. Their
main responsibilities include processing data according to the controller’s instructions,
implementing appropriate protection measures, notifying controllers of data breaches,
maintaining records of processing activities, and complying with data deletion
requirements.

2. WHO NEEDS TO FOLLOW THE GDPR? IS THERE ANY WAY YOU CAN BE EXEMPT FROM THE
GDPR?

The General Data Protection Regulation applies to any entity that collects, processes, or
stores personal data of residents within the European Union or in the European
Economic Area. And any business regardless of where is operates that deal with the
EU resident’s personal data whether it’s basic contact information or more sensitive
data falls under the regulation.

However, there are certain exemptions to the full application of the GDPR. First, the
GDPR does not apply to data processing conducted by individuals for purely personal or
household activities. For national security exception, deceased individuals and
some international transfer with adequate safeguards.

3. WHAT IS “PERSONAL DATA” AND “ SENSITIVE PERSONAL DATA ”? WHAT ARE THE
DIFFERENCES BETWEEN THE TWO?

According to the General Data Protection Regulation, personal data refers to any
information that can identify an individual, either directly or indirectly. This includes
basic details like name, address, phone number for example.

And sensitive data, includes information that is more private and requires extra
protection because is a potential for greater harm if exposed. These include details
about: health information, financial, biometric data, genetic data, racial or ethnic origin,
political opinion and beliefs.

The key difference between the twho is the nature and the level of protection required.
The GDPR imposes stricter rules for the processing sensitive personal data, often
requiring explicit consent or specific legal justification.

4. WHAT ARE THE 7 PRINCIPLES OF THE GDPR? EXPLAIN EACH ONE.

They are the foundation of data protection rules in the EU and compliance efforts for
organizations worldwide.

There are the seven principles of GDPR:

1. Lawfulness, fairness and transparency: Data must be processed legally, with
explicit consent and be informed about how their data is being used, typically
through privacy notices.
2. Purpose limitation: Data should be collected for specified, explicit, and
legitimate purposes and not for another purpose.
3. Data minimization: only the data that is necessary for the intended purposes
should be collected and processed.
4. Accuracy: personal data must be accurate and kept up to data. Inaccurate data
should be corrected or deleted without delay.
5. Storage limitation: data should be kept in a form that permits identification of
individuals for no longer than is necessary for the purposes for which the data is
processed.
6. Integrity and confidentiality: data must be protected against unauthorized or
unlawful processing and security violation.
7. Accountability: data controllers are responsible for and must be able to
demonstrate compliance with the GDPR.
 5. WHAT ARE THE LEGAL BASIS FOR PROCESSING STANDARD PERSONAL DATA ? EXPLAIN
EACH ONE. (N OT SENSITIVE PERSONAL DATA )

the General Data Protection Rules shows legals bases for processing standard personal
data. These legal bases are fundamental to GDPR compliance and guide how
organizations can handle personal data. Which are : consent, contract execution,
legal obligation, vital interests, public task or general interests and legitimate
interests.

1. Consent involves obtaining clear, affirmative permission from data subjects
2. Contract applies when processing is necessary to fullfill contractual obligation or
take pre-contractual steps at the individual request.
3. Legal obligations covers processing required to comply with laws or regulations.
4. Vital interests allow processing to protect someone’s life for example in can of an
emergency medical care
5. Public task applies to processing necessary for official functions or tasks in the
public interest
6. Legitimate interests can be used when is necessary for the legitimate interests of
the organization or a third party unless overridden by data subject’s rights. And is
always to runs a strict legitimate assessment (LIA).

6. WHAT ARE THE DATA SUBJECT RIGHTS ? EXPLAIN EACH ONE.

The General Data Protection Regulation several fundamental data subjects rights that
empower individuals and give them control over their personal data. These rights are :

- Right to be informed: data subjects have to know how their personal data are
being collected, processed and used. And organizations must be transparent
about their data processing activities for example the privacy notice.
- Right to access: individuals can request access to their personal data. They can
use a DSAR forms.
- Right to rectification: data subjects can correct or completed inaccurate
personal data without indue delay.
- Right to erasure: data subjects can request organizations to delete their data as
a right to be forgotten.
- Right to restict processing: Data subjects request thr restriction of processing
of their personal data in specific situations.
- Right to data portability: individuals can obtain their personal data if they
requested in structured, commonly used, and machine-readable. And then,
transfer it to another data controller if they choose.
- Right to object: data subjects can object to the processing of their personal data
in circumstances, including for direct marketing purposes.
 - Right to related to automated decision making: right not to be subject to
automated decision without human intervention.

7. WHAT IS A DPO? WHEN DO YOU NEED ONE AND WHAT ARE ITS RESPONSIBILITIES ?

Data protection officer is a main role in organizations that process personal data,
ensuring compliance with data protection regulations like the GDPR. This position
becomes mandatory for public authorities, organizations conducting large-scale
systemic monitoring of individuals, or those processing significant amounts of sensitive
data. The DPO’s responsibilities are multifaced including advising on data protection
obligations, monitoring compliance, conducting impact assessments, and serving as
the primary contact for data subjects and supervisory authorities.

For instance, in a hospital setting, a DPO would oversee the protection of patient
records, conduct regular audits of data processing activities, and manage any data
breach incidents.

By bridging the gap between regulatory requirements and organizational practices,
DPOs play a crucial role in fostering a culture of data protection, helping organizations
navigate the complex landscape of privacy regulation while balancing business needs
with individual rights.

8. WHAT ARE THE DIFFERENT KINDS OF FORMS THAT ARE NECESSARY TO COMPLY WITH THE
GDPR?

The General Data Protection Regulation requires organizations to maintain various
forms and documents to demonstrate compliance and ensure proper handling of
personal data. These forms serve as tangible evidence of an organization's commitment
to data protection principles and provide a framework for implementing GDPR
requirements in practice.

Key forms include records of processing activities which is a mandatory document for
companies with more than 250 employees, detailing all data processing activities. The
DSAR form, allow data subjects to formally request access to their personal data.
Organizations must provide this form and have a process in place to respond to such
requests within the legal timeframe, typically one month. Otherwise, it can result in
regulatory fines, legal action and reputational damage for the organization.
The are also, the DPIA that required to assess risk related to data processing that may
affect individuals’ rights. LIA and Privacy policy informs data subjects of their rights and
how their data is being used.
 9. WHAT ARE THE FINES UNDER THE GDPR? HOW ARE THEY CALCULATED AND WHO ISSUES
THEM ?

The General Data Protection Regulation fining system serves as a powerful enforcement
mechanism designed to ensure organizations prioritize data protection, with penalties
severe enough to impact even the largest global corporations. This system not only
punishes non-compliance but also act as a strong deterrent, encouraging proactive
measures to safeguard personal data.

The regulation establishes a two-tiered structure for administrative fines. The higher
their allows for fines of up to 20 € M or 4% of global annual turnover, whichever is
greater, for severe infringement. For example, a consent or a multinational corporation
that transfers customer data outside the EU without proper safeguards could face these
maximum fines. The lower tier, with fines up 10 € M or 2% of turnover, addresses less
severe breaches, such as failing to report a data breach within the required 72 hours
window.

National data protection authorities like ICO (UK) or CNIL (FR), are responsible for
issuing these fines. They consider various factors when calculating penalties, including
the nature and gravity of the infringement and any actions take to mitigate damage. This
system ensures that fines are not only punitive but also proportionate and effective in
promoting compliance across diverse organizations.

10. WHAT ARE THE RULES FOR INTERNATIONAL DATA TRANSFER UNDER THE GDPR

Any transfer of personal data to a third country or international organization must
comply with the conditions outlined in the GDPR. The fundamental principle is that the
level of protection for personal data should not be undermined.

The European Commission can decide whether a third country offers an adequate level
of data protection. Some countries are deemed adequate: Andorra, Argentina, Canada,
Faroe Islands, Guernsey, Israel, Isle of man, Japan, Jersey, New Zealand, Republic of
Korean, Switzerland UK, US under the new EU-US data privacy framework and Urugay.
Thus, personal data can be transferred without additional safeguards.

If a country does not have an adequacy decision, data can still be transferred if
appropriate safeguards are in place, such as:

- Binding Corporate Rules (BCRs)
- Standard data protection clauses (SDPC) adopted by the Commission
- An approved code of conduct or certificate mechanism
In specific situations, transfers may occur even without adequate protection or
safeguards such as:

- Explicit consent from the data subject
- Transfers necessary for contractual obligations or legal claims
- Protection of vital interests of the data subject

In all case data controllers remain liable for compliance with GDPR, including during
international transfers, ensuring that all processing activities adheres to the regulation’s
requirements.