Оглавление
Leo Besemer. Privacy and Data Protection based on the GDPR
Other publications by Van Haren Publishing
Privacy and Data. Protection based. on the GDPR
Colophon
Foreword
Contents
Acknowledgements
How this book is organized
PART I | Privacy and data protection history and scope
1 History and context
1.1 The history of privacy and data protection
1.1.1 Human rights law. 1.1.1.1 Universal Declaration of Human Rights
1.1.1.2 European Convention on Human Rights
1.1.1.3 OECD Guidelines and the Treaty of Strasbourg
1.1.1.4 Council of Europe (CoE) Convention 108
1.1.1.5 Data Protection Directive 95/46/EC
1.1.1.6 Charter of Fundamental Rights
1.1.1.7 Treaty of Lisbon
1.1.1.8 General Data Protection Regulation (EU) 2016/679
1.1.2 Milestones in Data Protection history
1.2 Context within European and national law. 1.2.1 European legal acts
1.2.1.1 Regulation
1.2.1.2 Directive
1.2.1.3 Decision
1.2.1.4 Recommendation
1.2.2 European legal acts complementing the GDPR. 1.2.2.1 Directives 2002/58/EC and 2009/136/EC (on privacy and electronic communications)
1.2.2.2 ePrivacy Directive and Regulation
1.2.2.3 Decisions 2001/497, 2004/915 and 2010/87 (standard contractual clauses)
1.2.2.4 Directive 2016/680 (police and judicial cooperation in criminal matters)
1.2.2.5 Directive 2016/681 (on the use of passenger name record (PNR) data)
1.2.2.6 Regulation (EU) 2018/1725 (on processing by Union institutions)
1.2.3 GDPR implementation laws
1.2.4 Other complementing law
1.2.5 The concepts of subsidiarity and proportionality
1.3 The scope of the GDPR
1.3.1 The concept of personal data
1.3.1.1 Direct personal data
1.3.1.2 Indirect personal data
1.3.1.3 Pseudonymized personal data
1.3.1.4 Anonymized data
1.3.1.5 The concept of processing
1.3.2 Material scope of the GDPR
Filing system
1.3.2.1 Other exceptions. Crime prevention and prosecution by competent authorities
Household activities
1.3.3 Geographical scope of the GDPR. 1.3.3.1 Establishment criterion
“… an establishment in the Union, …”
“… in the context of the activities of an establishment” …
“…in the Union”
1.3.3.2 Targeting criterion
PART II | Principles and practice of processing
2 Stakeholder roles, rights and obligations
2.1 Controller
2.1.1 Accountability
2.1.2 Implementing data protection by design and by default
2.1.2.1 The seven principles of data protection by design
Proactive not Reactive; Preventative not Remedial
Data Protection as the Default Setting
Privacy Embedded into Design
Full Functionality — Positive-Sum, not Zero-Sum
End-to-End Security — Full Lifecycle Protection
Visibility and Transparency — Keep it Open
Respect for User Privacy — Keep it User-Centric
2.1.3 Required types of administrations
2.1.3.1 Records of processing activities
2.1.3.2 Records of personal data breaches
2.1.3.3 Derogation for small companies
2.1.4 GDPR security requirements
2.1.5 Outsourcing of processing actions
2.1.5.1 Processor agreement
2.2 Processor
2.2.1 Obligations of the processor
2.2.1.1 Required types of administration
Records of processing operations
Record of personal data breaches
2.3 Representative
2.4 Data protection officer (DPO)
2.4.1 Mandatory appointment
2.4.1.1 Notification obligation
2.4.1.2 Core activities
2.4.1.3 Regular and systematic monitoring
2.4.1.4 Processing on a large scale
2.4.1.5 Optional appointment of a DPO
2.4.2 Tasks of a data protection officer
2.4.3 Position of the DPO in the organization
2.4.3.1 Independence
2.4.3.2 Protection of the DPO
2.4.3.3 Conflicts of interest
2.5 Recipients and third parties
3 The principles of processing personal data
Six principles (or seven?)
Principles relating to processing of personal data
3.1 Lawfulness, fairness and transparency
3.1.1 Lawfulness
3.1.2 Fairness and transparency
3.2 Purpose specification and purpose limitation
Specified
Explicit
Legitimate
3.2.1 Purpose limitation and further processing
3.2.1.1 Further processing
3.2.1.2 Compatibility assessment. The relationship between initial purposes and purposes of further processing
The context in which the data has been collected and the reasonable expectations of the data subjects as to its further use
The nature of the data and the impact of the further processing on the data subjects
3.2.1.3 Derogations
3.3 Data minimization
3.4 Accuracy
3.4.1 Reasonable steps
3.4.2 Not incorrect or misleading as to any matter of fact
3.4.3 Need to update
3.4.4 Personal data challenged
3.5 Storage limitation
3.6 Integrity and confidentiality
3.6.1 A level of security appropriate to the risk
3.6.1.1 State of the art
3.6.1.2 Multi-factor access control
3.6.1.3 Awareness
3.6.1.4 Pseudonymization
3.6.1.5 Encryption
3.6.1.6 Authenticity and non-repudiation
3.7 Subsidiarity and proportionality
3.7.1 Subsidiarity
3.7.2 Proportionality
4 Lawful grounds for processing
4.1 Personal data: processing is permitted, provided …
Lawfulness of processing
4.1.1 Necessary for the performance of a contract
The concept of “contract”
4.1.2 Necessary for compliance with a legal obligation
4.1.3 Necessary to protect a vital interest
4.1.4 Necessary in the public interest or by an official authority
4.1.5 Necessary for a legitimate interest of the controller
4.1.5.1 Legitimate Interest Assessment (LIA)
The concept of interest
Legitimate
Necessity
Subsidiarity
Balancing test
Transfer of data
Services directed at children and other vulnerable individuals
4.1.6 Consent of the data subject
4.1.6.1 Conditions for consent
Freely given
Specific
Informed
Unambiguous
4.1.6.2 Consent of children
4.2 Sensitive data: processing is prohibited, unless…
4.2.1 The concept of “sensitive data”? Categories of special personal data:
4.2.1.1 Genetic data
4.2.1.2 Biometric data
4.2.2 Derogations from the prohibition to process sensitive data
Explicit consent
Employment
Vital interest
Membership of organizations
Publicly disclosed data
Legal proceedings
Substantial public interest
Medicine
Public health
Research
Other rules and types of data
4.3 Recapitulating: the case of Santa Claus
5 The rights of the data subjects
5.1 Right to transparent information, communication and modalities
5.1.1 Information to be provided to the data subject
Required information on the controller and the processing
Required information on the rights of the data subject
Required information on automated decision-making, including profiling
Required information to be provided when transferring personal data
Required information when personal data is obtained from the data subject directly
Required information when personal data is not obtained from the data subject
5.1.2 Derogations to the obligation to provide information
5.1.3 Timing of the response to a request
5.2 Right of access (inspection)
5.2.1 Timing and limitations to the right of access
5.2.2 Refusing a request
5.2.3 Conditions for compliance
5.3 Right to rectification
5.3.1 The concepts of “inaccurate” and “incomplete”
5.3.2 Timing of the response to a request
5.3.3 Refusing a request
5.3.4 Notification obligation
5.3.5 Conditions for compliance
5.4 Right to erasure (“right to be forgotten”)
5.4.1 Timing of the response to a request
5.4.2 Refusing a request
5.4.3 Notification obligation
5.4.4 Conditions for compliance
5.5 Right to restriction of processing
5.5.1 Grounds to have processing restricted
5.5.2 Timing of the response to a request
5.5.3 Refusing a request
5.5.4 Notification obligation
5.5.5 Conditions for compliance
5.6 Right to data portability
5.6.1 Concepts addressed in the right to portability
5.6.1.1 Without hindrance
5.6.1.2 Structured
5.6.1.3 Commonly used
CSV
XML
JSON
5.6.1.4 Machine-readable
5.6.2 Timing of the response to a request
5.6.3 Refusing a request
5.6.4 Conditions for compliance
5.7 Right to object
Direct marketing
Public task or legitimate interests
Research and archive purposes
5.7.1 Timing of the response to a request
5.7.2 Refusing a request
Direct marketing
Research, Archiving, Statistics
Legal claims
5.7.3 Conditions for compliance
5.8 Rights related to automated decision-making, including profiling
5.8.1 The concepts of profiling and automated decision-making
Legal effects
Similarly significant
5.8.2 Legitimate use of profiling and/or automated decision-making
5.8.2.1 Profiling for direct marketing
5.8.3 Conditions for compliance
5.9 Right to lodge a complaint with a supervisory authority
5.9.1 Representation
6 Data governance
6.1 Data governance
6.1.1 Understanding the data streams
6.1.1.1 Data collection
6.1.1.2 Permissions structure
6.1.1.3 Build in retention and deletion rules
6.1.2 Data lifecycle management (DLM)
6.1.2.1 The purpose of Data Lifecycle Management (DLM)
6.2 Data protection audit
6.2.1 Purpose of an audit
6.2.1.1 Adequacy audit
6.2.1.2 Compliance audit
6.2.2 Contents of an audit plan
7 Processing and the online world
7.1 The use of personal data in marketing
7.1.1 Cookies – the technical view. 7.1.1.1 What is a cookie?
7.1.1.2 Session cookies
7.1.1.3 Persistent cookies
7.1.2 Cookies - the privacy perspective
7.1.3 The price of “free” services
7.1.3.1 Tracking cookies
7.1.4 Profiling
7.1.5 Automated decision-making
Legal effects
Similarly significant
7.1.5.1 Exceptions
7.1.5.2 Safeguards
Children
7.2 Big data, artificial intelligence and machine learning
7.2.1 The concept of big data
7.2.1.1 Artificial intelligence (AI)
7.2.1.2 Machine learning
7.2.2 AI challenges regarding GDPR compliance
7.2.2.1 Lawfulness, transparency and fairness. Lawfulness
Transparency
Fairness
7.2.2.2 Purpose limitation, data minimization and storage limitation
7.2.2.3 Accuracy
Hidden bias
7.2.3 Anonymization
7.3 Interplay between GDPR and ePrivacy Directive
PART III | International data transfers
8 Cross-border transfers within the EEA
8.1 The concept of data transfer
8.2 Multinational cases. 8.2.1 Identifying the lead supervisory authority
8.2.2 Processing across different jurisdictions
8.2.2.1 Age
8.2.2.2 National law
9 Cross-border transfers outside the EEA
9.1 Transfers on the basis of an adequacy decision
9.2 Transfers subject to appropriate safeguards
Appropriate safeguards
9.3 Binding corporate rules (BCR)
9.4 Standard Contractual Clauses (SCCs)
9.5 Transfers or disclosures not authorized by Union law
9.6 Derogations
PART IV | Risk assessment and mitigation
10 Data Protection Impact Assessment (DPIA) and prior consultation
10.1 Objectives of a DPIA
10.2 Topics of a DPIA report
10.2.1 Publishing the DPIA report
10.3 Executing a DPIA
10.4 List of criteria for a mandatory DPIA
10.5 Prior consultation
11 Personal data breaches and related procedures
11.1 The concept of data breach
11.1.1 Security considerations
11.1.1.1 Vulnerability
11.1.1.2 Threat
11.1.1.3 Security goals
Confidentiality
Integrity
Availability
11.1.1.4 Security incident
11.1.1.5 Data breach
11.1.1.6 Personal data breach
11.2 How to monitor and prevent a personal data breach
11.3 What to do when a personal data breach occurs
Step 1 - Investigate
Step 2 – Mitigate the breach
11.4 Notification obligations in relation to personal data breaches
Step 3 – Notification. Controller
Processor
Information to provide to the DPA
High-risk
11.5 Types and categories of personal data breaches
PART V | The supervisory authorities
12 Data Protection Authority (DPA)
12.1 Independence
12.2 Competences, tasks and powers of a Supervisory Authority
12.2.1 To monitor and enforce the application of the Regulation
12.2.2 To advise and promote awareness
12.2.3 To administrate personal data breaches and other infringements
12.2.4 To set standards
Processing requiring DPIA
Codes of conduct and certification
Standard contractual clauses and binding corporate rules
12.3 Roles and responsibilities related to personal data breaches
12.4 Powers of the supervisory authority in enforcing the GDPR
12.4.1 Investigative powers of the supervisory authority
12.4.2 Corrective powers of the supervisory authority
12.4.3 General conditions for imposing administrative fines
Proportionate
Dissuasive
12.5 The consistency mechanism
12.5.1 Role of the European Data Protection Supervisor (EDPS)
12.5.2 Role of the European Data Protection Board (EDPB)
12.6 Remedies
Appendix A Sources
Appendix B European Data Protection Board (EDPB) Publications
Index
