Читать книгу Privacy and Data Protection based on the GDPR - Leo Besemer - Страница 9
How this book is organized
ОглавлениеFor many organizations processing personal data, the General Data Protection Regulation (GDPR) came as a shock. Not so much its publication in the spring of 2016, but rather the articles that appeared about it in professional journals and newspapers leading to protests and unrest. “The heavy requirements of the law would cause very expensive measures in companies and organizations”, was one of the concerns. In addition, the “173 recitals and 99 articles left too much room for interpretation, while companies which failed to comply would face draconian fines”.
This book is intended to explain where these requirements came from and to prove that the GDPR is not incomprehensible, that the principles are indeed remarkably easy to understand. However, the other points cannot completely be denied. The regulation forces companies to upgrade their data governance to a level where their data, in particular their personal data, is safe and the rights and freedoms of the data subjects involved are protected. And for those companies and other organizations that don’t even try to comply, the fines imposed should be effective, proportionate and dissuasive, to quote GDPR Recital (151).
Part I of the book covers the history of privacy and data protection, amongst others showing that the “new” requirements of the GDPR were not that new at all. The material and geographical scope of the GDPR is explained, including how the GDPR interacts with, and is complemented by, other EU and national law. For example, when a type of processing falls outside the scope of GDPR, it does not necessarily mean there is no harmonized framework of national law that covers it.
Part II is the backbone of this book. We start with the main characters. Who are those ‘stakeholders’? Who is responsible, who is accountable and for what exactly? What responsibilities, duties, rights and obligations are associated with the role they have? The controller, responsible and accountable for compliance with the GDPR, including the implementation of the principles of personal data processing and the principles of data protection by design and by default. The processor, processing personal data on instruction of the controller, but unlike before also responsible for their own compliance to the GDPR. And the data protection officer as an independent advisor, facilitating a seamless merger between the company’s interests and compliance to the GDPR.
We then move on to the practical side of things. The principles for processing personal data are included in Chapter 3, requiring amongst others that processing shall be lawful. Chapter 4 details the six lawful grounds for processing. Chapter 5 covers the rights of the data subject, the individual whose personal data is to be processed. That includes what kind of requests executing those rights an organization should expect and how to deal with those requests in an effective and efficient manner.
Chapter 6 deals with data governance, with methods to responsibly deal with the valuable data of an organization within the requirements set by the GDPR. The last chapter of this part, Chapter 7, examines modern techniques such as tracking and tracing for the collection of personal data and its further processing, and the area of tension between, on the one hand artificial intelligence and machine learning, which form the basis for valuable services and, on the other hand, the requirements set by the law to protect the citizen whose personal data is required for this.
Part III deals with international transfers of data. The concept of data transfer and the rules regarding hiring processors in third countries. The protection of individuals in the EEA from risks of controllers processing their data through websites based in third countries, and of storage in the cloud, which in practice may amount to a server park somewhere in a distant country. And the rules for transfers within the EEA and from the EEA to third countries, including data transfer to the USA and the United Kingdom.
Part IV is about assessment of the risks of processing and also mitigating those risks. Chapter 10 details the data processing impact assessment (DPIA), assessing the risks to the data subjects and their data caused by a processing operation, but also the risks for the organization. Chapter 11 covers data breaches and mitigating the consequences of such a security incident, including the mandatory procedures on investigation and notification.
Part V covers the framework of supervisory authorities (DPAs), each monitoring implementation of the GDPR in their own territory but also cooperating strongly to maintain harmonization. Their legitimate basis, competencies, tasks and powers. The role of the DPA in enforcement: inspections, warnings and administrative fines.
In this book I refer to a “supervisory authority” as the concept of an authority overseeing international cooperation, and to “data protection authority” (DPA) as the national (or regional) institution with its tasks and responsibilities. In the context of the GDPR there is no real difference between the terms mentioned here.
The Appendices contain sources and references. The literature used in writing this book and for further reading, among them the publications of the EDPB, extensively detailing the concepts and articles of the GDPR. And there is an index to help you find the topics you are looking for.
References to the GDPR
In this book I will often provide references to the General Data Protection Regulation, both in footnotes and by quoting parts of the legal text, like this:
1. Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes (…)
GDPR Article 5
In a footnote, and indeed also in other literature on this topic, the second sentence of the article quoted above would be referred to as GDPR Article 5(1)(a), which is pronounced as Article 5, paragraph 1, subparagraph a. The ellipsis (…) in the second subparagraph is to indicate that the quote does not contain the complete GDPR article. GDPR Article 5 actually consists of two paragraphs, of which the first paragraph is subdivided in six subparagraphs (a through f).
Preceding the 99 articles, the GDPR also contains 173 recitals:
Whereas:
(1) The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (the ‘Charter’) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) provide that everyone has the right to the protection of personal data concerning him or her.
GDPR Recital (1)
This (first) recital of the GDPR would be referenced to as GDPR Recital (1), with (Arabic) figures enclosed in brackets. The recitals are a very important part of the GDPR, as they provide context and explanation of the meaning of the articles. You cannot fully understand the meaning of the articles, their intention, scope and reach, without taking the corresponding recitals into consideration. Unfortunately, the text of the GDPR does not indicate which recitals a specific article relates to. One must read through the whole document to see the connections. Or take the better alternative: read this book.