Читать книгу Privacy and Data Protection based on the GDPR - Leo Besemer - Страница 7

Contents

Оглавление

Acknowledgements

How this book is organized

PART I | Privacy and data protection history and scope

1 History and context

1.1 The history of privacy and data protection

1.1.1 Human rights law

1.1.2 Milestones in Data Protection history

1.2 Context within European and national law

1.2.1 European legal acts

1.2.2 European legal acts complementing the GDPR

1.2.3 GDPR implementation laws

1.2.4 Other complementing law

1.2.5 The concepts of subsidiarity and proportionality

1.3 The scope of the GDPR

1.3.1 The concept of personal data

1.3.2 Material scope of the GDPR

1.3.3 Geographical scope of the GDPR

PART II | Principles and practice of processing

2 Stakeholder roles, rights and obligations

2.1 Controller

2.1.1 Accountability

2.1.2 Implementing data protection by design and by default

2.1.3 Required types of administrations

2.1.4 GDPR security requirements

2.1.5 Outsourcing of processing actions

2.2 Processor

2.2.1 Obligations of the processor

2.3 Representative

2.4 Data protection officer (DPO)

2.4.1 Mandatory appointment

2.4.2 Tasks of a data protection officer

2.4.3 Position of the DPO in the organization

2.5 Recipients and third parties

3 The principles of processing personal data

3.1 Lawfulness, fairness and transparency

3.1.1 Lawfulness

3.1.2 Fairness and transparency

3.2 Purpose specification and purpose limitation

3.2.1 Purpose limitation and further processing

3.3 Data minimization

3.4 Accuracy

3.4.1 Reasonable steps

3.4.2 Not incorrect or misleading as to any matter of fact

3.4.3 Need to update

3.4.4 Personal data challenged

3.5 Storage limitation

3.6 Integrity and confidentiality

3.6.1 A level of security appropriate to the risk

3.7 Subsidiarity and proportionality

3.7.1 Subsidiarity

3.7.2 Proportionality

4 Lawful grounds for processing

4.1 Personal data: processing is permitted, provided …

4.1.1 Necessary for the performance of a contract

4.1.2 Necessary for compliance with a legal obligation

4.1.3 Necessary to protect a vital interest

4.1.4 Necessary in the public interest or by an official authority

4.1.5 Necessary for a legitimate interest of the controller

4.1.6 Consent of the data subject

4.2 Sensitive data: processing is prohibited, unless…

4.2.1 The concept of “sensitive data”?

4.2.2 Derogations from the prohibition to process sensitive data

4.3 Recapitulating: the case of Santa Claus

5 The rights of the data subjects

5.1 Right to transparent information, communication and modalities

5.1.1 Information to be provided to the data subject

5.1.2 Derogations to the obligation to provide information

5.1.3 Timing of the response to a request

5.2 Right of access (inspection)

5.2.1 Timing and limitations to the right of access

5.2.2 Refusing a request

5.2.3 Conditions for compliance

5.3 Right to rectification

5.3.1 The concepts of “inaccurate” and “incomplete”

5.3.2 Timing of the response to a request

5.3.3 Refusing a request

5.3.4 Notification obligation

5.3.5 Conditions for compliance

5.4 Right to erasure (“right to be forgotten”)

5.4.1 Timing of the response to a request

5.4.2 Refusing a request

5.4.3 Notification obligation

5.4.4 Conditions for compliance

5.5 Right to restriction of processing

5.5.1 Grounds to have processing restricted

5.5.2 Timing of the response to a request

5.5.3 Refusing a request

5.5.4 Notification obligation

5.5.5 Conditions for compliance

5.6 Right to data portability

5.6.1 Concepts addressed in the right to portability

5.6.2 Timing of the response to a request

5.6.3 Refusing a request

5.6.4 Conditions for compliance

5.7 Right to object

5.7.1 Timing of the response to a request

5.7.2 Refusing a request

5.7.3 Conditions for compliance

5.8 Rights related to automated decision-making, including profiling

5.8.1 The concepts of profiling and automated decision-making

5.8.2 Legitimate use of profiling and/or automated decision-making

5.8.3 Conditions for compliance

5.9 Right to lodge a complaint with a supervisory authority

5.9.1 Representation

6 Data governance

6.1 Data governance

6.1.1 Understanding the data streams

6.1.2 Data lifecycle management (DLM)

6.2 Data protection audit

6.2.1 Purpose of an audit

6.2.2 Contents of an audit plan

7 Processing and the online world

7.1 The use of personal data in marketing

7.1.1 Cookies – the technical view

7.1.2 Cookies - the privacy perspective

7.1.3 The price of “free” services

7.1.4 Profiling

7.1.5 Automated decision-making

7.2 Big data, artificial intelligence and machine learning

7.2.1 The concept of big data

7.2.2 AI challenges regarding GDPR compliance

7.2.3 Anonymization

7.3 Interplay between GDPR and ePrivacy Directive

PART III | International data transfers

8 Cross-border transfers within the EEA

8.1 The concept of data transfer

8.2 Multinational cases

8.2.1 Identifying the lead supervisory authority

8.2.2 Processing across different jurisdictions

9 Cross-border transfers outside the EEA

9.1 Transfers on the basis of an adequacy decision

9.2 Transfers subject to appropriate safeguards

9.3 Binding corporate rules (BCR)

9.4 Standard Contractual Clauses (SCCs)

9.5 Transfers or disclosures not authorized by Union law

9.6 Derogations

PART IV | Risk assessment and mitigation

10 Data Protection Impact Assessment (DPIA) and prior consultation

10.1 Objectives of a DPIA

10.2 Topics of a DPIA report

10.2.1 Publishing the DPIA report

10.3 Executing a DPIA

10.4 List of criteria for a mandatory DPIA

10.5 Prior consultation

11 Personal data breaches and related procedures

11.1 The concept of data breach

11.1.1 Security considerations

11.2 How to monitor and prevent a personal data breach

11.3 What to do when a personal data breach occurs

11.4 Notification obligations in relation to personal data breaches

11.5 Types and categories of personal data breaches

PART V | The supervisory authorities

12 Data Protection Authority (DPA)

12.1 Independence

12.2 Competences, tasks and powers of a Supervisory Authority

12.2.1 To monitor and enforce the application of the Regulation

12.2.2 To advise and promote awareness

12.2.3 To administrate personal data breaches and other infringements

12.2.4 To set standards

12.3 Roles and responsibilities related to personal data breaches

12.4 Powers of the supervisory authority in enforcing the GDPR

12.4.1 Investigative powers of the supervisory authority

12.4.2 Corrective powers of the supervisory authority

12.4.3 General conditions for imposing administrative fines

12.5 The consistency mechanism

12.5.1 Role of the European Data Protection Supervisor (EDPS)

12.5.2 Role of the European Data Protection Board (EDPB)

12.6 Remedies

Appendix A Sources

Appendix B European Data Protection Board (EDPB) Publications

Index

Privacy and Data Protection based on the GDPR

Подняться наверх