Uploaded byAldo939112
PDF, PPTX22 views

On GDPR - Regulation on Personal Data Protection

The document outlines the principles, regulations, and rights concerning data protection under the General Data Protection Regulation (GDPR), which was adopted by the EU in 2016 and is designed to protect personal data of individuals. It details the definitions of personal data, responsibilities of data controllers and processors, lawful bases for processing data, and the specific rights individuals have regarding their data. The document emphasizes the importance of consent, transparency, and the protection of sensitive data, highlighting the growing significance of data privacy in the digital age.

Law

Embed presentation

Download as PDF, PPTX
Biomedical Wearable Technologies for Healthcare and Wellbeing A.Y. 2021-2022 Martina Vettoretti UNIVERSITY OF PADOVA DEPARTMENT OF INFORMATION ENGINEERING Regulation on data protection
Privacy  Privacy: the right to a private life, to be autonomous, in control of information about yourself, to be let alone.  Almost every country in the world recognises privacy in some way.  Moreover, privacy is recognised as a universal human right.  Universal Declaration of Human Rights (Article 12)  European Convention of Human Rights (Article 8)  European Charter of Fundamental Rights (Article 7). 2
Data protection  Data protection has precise aims to ensure the fair processing (collection, use, storage) of personal data by both the public and private sectors.  Personal data: any information relating to an identified or identifiable natural (living) person  An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, etc.  Examples of personal data:  Names, dates of birth, photographs, email addresses and telephone numbers  IP addresses and communications content - related to or provided by end-users of communications services - are also considered personal data.  The European Charter of Fundamental Rights (Article 8) contains an explicit right to the protection of personal data. 3
Data protection regulation: GDPR  In April 2016, the EU adopted a new regulation for data protection: the General Data Protection Regulation (GDPR).  Fully applicable across the EU in May 2018, the GDPR is the most comprehensive and progressive piece of data protection legislation in the world.  The GDPR also applies to organisations or companies not established in the EU who offer goods and services to individuals in the EU or monitor their behaviour.  Globally, there is an increasing growth in data protection laws. Many of these laws are strongly influenced by the EU rules, which have long been considered the gold standard in data protection law.  In EU, each member state has adopted a national regulation on data protection that is compliant with the GDPR.  Italian law: DECRETO LEGISLATIVO 10 agosto 2018, n. 101. Disposizioni per l'adeguamento della normativa nazionale alle disposizioni del regolamento (UE) 2016/679 del Parlamento europeo e del Consiglio, del 27 aprile 2016, relativo alla protezione delle persone fisiche con riguardo al trattamento dei dati personali, nonchè alla libera circolazione di tali dati e che abroga la direttiva 95/46/CE (regolamento generale sulla protezione dei dati). 4
Data protection regulation: GDPR  The GDPR substituted the 1995 Data Protection Directive which was adopted at a time when there was no massive use of the Internet.  Over the last 25 years, technology has transformed our lives in ways nobody could have imagined so a review of the rules was needed.  The GDPR reinforces a wide range of existing rights and establishes new ones for individuals, including the right to erasure (right to be forgotten).  You can request that an organisation delete your personal data, for instance if your data are no longer necessary for the purposes for which they were collected or if you want to withdrawn your consent to the processing of your data. 5
Living and dead individuals  The GDPR only applies to the personal data which relates to an identifiable living individual.  Information relating to a dead person is not subject to the GDPR.  Single member states are allowed to define their own rules for the protection of dead people.  Italy has extended the application of the GDPR to dead people with the regulation Decreto Legislativo 101/2018. 6
Data controllers and processor  Data subject: the person whose personal data are collected, held or processed.  Data controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.  The controller is responsible for the lawfulness of the processing, for the protection of the data, and respecting the rights of the data subject. The controller is also the entity that receives requests from data subjects to exercise their rights.  The actual processing may be delegated to another party, called the data processor.  Data processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.  The processor only acts "on behalf of the controller" and thus only subject to his instructions.  The processor may choose not to process the data himself, but may have recourse to a subcontractor who processes the data on his behalf.  Recipient: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed. 7
GDPR: seven main principles  Lawfulness, fairness and transparency: Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.  Identify valid grounds under GDPR (known as a ‘lawful basis’) for collecting and using personal data.  Purpose limitation: Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.  Purposes for processing must be clear from the start  Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes are not considered to be incompatible with the initial purposes  Data minimisation: Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. 8
GDPR: seven main principles  Accuracy: personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.  Storage limitation: personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.  personal data may be stored for longer periods only if data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.  Integrity and confidentiality: Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational security measures.  Accountability: The controller shall be responsible for, and be able to demonstrate compliance with the principles of the GDPR. 9
Lawful basis for data processing under GDPR  The processing of personal data is lawful if at least one of the following applies:  Consent: the data subject has given clear consent for you to process his or her personal data for a specific purpose.  Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.  Legal obligation: the processing is necessary to comply with a legal obligation to which the controller is subject.  Vital interests: the processing is necessary to protect someone’s life.  Public task: the processing is necessary for performing a task in the public interest or in the exercise of an official authority acting as a controller.  Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.  Data controllers and processors are required to provide information about the lawful basis for processing usually through a privacy notice. 10
Consent  When the lawful basis for processing personal data is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.  Consent is defined as any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.  The request for consent shall be presented in a manner which is clear, in an intelligible and easily accessible form, using plain language.  The data subject shall have the right to withdraw his or her consent at any time.  It shall be as easy to withdraw as to give consent. 11
Information to be provided before personal data collection  When personal data relating to a data subject are collected from the data subject, prior to data collection, the controller shall provide the data subject with all of the following information:  the identity and the contact details of the controller and, where applicable, of the controller's representative;  the contact details of the data protection officer, where applicable;  the categories of personal data concerned;  the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;  when the processing is based on legitimate interests, these must be specified;  the recipients or categories of recipients of the personal data, if any;  where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the European Commission. 12
Information to be provided before personal data collection  The following further information necessary to ensure fair and transparent processing must also be provided:  the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;  the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing;  the existence of the right to withdraw consent at any time;  the right to raise a complaint with a supervisory authority;  whether the provision of personal data is a statutory or contractual requirement, the possible consequences of failure to provide such data;  the existence of automated decision-making, including profiling, and meaningful information about the logic involved and the consequences of such profiling. 13
Secondary use of the personal data  Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected (secondary use of the data), the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information. 14
Informed consent form for participating in a research trial  If you are planning to conduct a research trial in which you collect some personal data, each participant must provide an explicit consent by which they agree with you processing their data for the purpose of the research.  Information sheet: document to share the information of the research trial.  Consent form: form by which the subject provide the consent and agree to participate in the study. 15
Example of an information sheet template 16
Example of a consent form template 17
Websites using cookies and GDPR  HTTP cookies are small blocks of data created by a web server while a user is browsing a website and placed on the user's computer or other device by the user's web browser.  Cookies serve some crucial functions of browsers (e.g. to track the session state).  However, cookies can store a wealth of data, enough to potentially identify the user without his/her consent.  Cookies are the primary tool that advertisers use to track users’ online activity so that they can target them with highly specific advertisements.  Given the amount of data that cookies can contain, they can be considered personal data in certain circumstances and, therefore, subject to the GDPR.  Compliance with the GDPR imposes that Web servers using cookies must:  receive users’ consent before using any cookies except those that are strictly necessary;  provide accurate and specific information about the data each cookie tracks and its purpose in plain language before consent is received;  document and store consent received from users;  allow users to access the service even if they refuse to allow the use of certain cookies;  make it as easy for users to withdraw their consent as it was for them to give their consent in the first place. 18
Example of an informed consent form for the use of cookies 19
Special categories of personal data (Art 9) Personal data revealing:  racial or ethnic origin  political opinions  religious or philosophical beliefs  trade union membership;  data concerning physical or mental health  data concerning sexual life or sexual orientation.  processing of genetic data or biometric data (physical, physiological or behavioural characteristics which allow or confirm the unique identification of a person) for the purpose of uniquely identifying a person; The processing of these kind of data shall be prohibited. 20
Conditions for use of special categories of personal data Exceptions in which special personal data can be processed:  the data subject has given explicit consent to the processing of those personal data for one or more specified purposes;  processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject;  processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;  Processing is done within an organization for legitimate purposes, solely for members of the organization, and data are not disclosed outside the organization without the consent of the data subject;  Processing relates to personal data which are manifestly made public by the data subject;  … 21
Conditions for use of special categories of personal data  …  processing is necessary for the establishment, exercise or defence of legal claims;  processing is necessary for reasons of substantial public interest  processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems;  processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health;  processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purpose. 22
Other notes on personal data  Research organisations that hold and use special categories of personal data must ensure that they have a lawful basis to hold and use personal data and to hold and use special categories of personal data.  Information which has had identifiers removed or replaced in order to pseudonymise the data is still personal data for the purposes of GDPR.  Information which is truly anonymous is not covered by the GDPR.  If information that seems to relate to a particular individual is inaccurate (i.e. is factually incorrect or is about a different individual), the information is still personal data, as it relates to that individual. 23
Pseudonymised data  Pseudonymisation is a technique that replaces or removes information in a data set that identifies an individual.  The GDPR defines pseudonymisation as: “…the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.”  Pseudonymisation may involve replacing names or other identifiers which are easily attributed to individuals with, for example, a unique identifier.  The data controller can still match the unique identifier to the individual entity having access to the relevant information;  Technical and organisational measures are put in place to ensure that this additional information is held separately and no one apart the authorized people can retrieve it.  Pseudonymising personal data help protecting the privacy of subjects’ identity.  However, pseudonymisation does not change the status of the data as personal data. 24
Anonymised data  The GDPR does not apply to personal data that has been anonymised.  “…The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.”  In order to be truly anonymised under the GDPR, personal data must be stripped of sufficient elements that mean the individual can no longer be identified.  If at any point reasonably available means can be used to re-identify individuals to which the data refers, data will not have been effectively anonymised but will have merely been pseudonymised.  This means that despite attempts at anonymisation processing of personal data continues and is covered by GDPR. 25
Data subjects rights under GDPR  The right to be informed  Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.  The right of access  Individuals have the right to access and receive a copy of their personal data, and other supplementary information, including the purpose and period of processing.  The right to rectification  The GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete.  The right to erasure (‘right to be forgotten’)  The GDPR introduces a right for individuals to have personal data erased. 26
Data subjects rights under GDPR  The right to restrict processing  Individuals have the right to request the restriction or suppression of their personal data. When processing is restricted, the controller is permitted to store the personal data, but not use it.  The right to data portability  Individuals can obtain and reuse their personal data for their own purposes across different services. Subjects can move, copy or transfer personal data easily to another controller.  The right to object  The GDPR gives individuals the right to object to the processing of their personal data in certain circumstances 27
Data subjects rights under GDPR  Rights in relation to automated decision making and profiling.  The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.  Profiling: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. 28
Data protection by design and by default  Data protection by design: the controller shall implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.  Data protection by default:  The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.  Such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons. 29
Records of processing activities: controller Each controller shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:  name and contact details of the controller;  purpose of processing;  the categories of data subjects and the categories of personal data;  the categories of recipients to whom the personal data have been or will be disclosed;  where applicable, transfers of personal data to a third country;  where possible, the envisaged time limits for erasure of the different categories of data;  where possible, a general description of the technical and organisational security measures adopted. 30
Records of processing activities: processor Each processor shall maintain a record of processing activities carried out on behalf of the controller. That record shall contain all of the following information:  name and contact details of the processor and of the controller;  the categories of processing carried out;  where applicable, transfers of personal data to a third country;  where possible, a general description of the technical and organisational security measures adopted. 31
Security measures  The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:  the pseudonymisation and encryption of personal data;  the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;  the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;  a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. 32
Data protection officer (DPO)  The controller and the processor shall designate a data protection officer when:  the processing is carried out by a public authority or body;  the processing operations require regular and systematic monitoring of data subjects on a large scale;  the processing involve the processing on a large scale of the special categories of data pursuant to Article 9.  The DPO shall be an expert in data protection regulation and practices.  Tasks of the DPO:  to inform and advise the controller or the processor and the employees who carry out processing of their obligations according to the GDPR  To monitor the compliance with GDPR  to provide advice where requested as regards the data protection  To cooperate with data protection authorities  To act a contact point between the controller, the processor and the data protection authorities. 33
Data protection authorities  In most countries, national Data Protection Authorities (DPAs) or Regulators have been established to be the guardians of data protection.  The Italian one is: Garante per la protezione dei dati personali (http://www.garanteprivacy.it/)  For the enforcement of data protection laws to be effective, DPAs are given the power to investigate, detect and punish violations as well as the responsibility to raise awareness of data protection rights and obligations in general.  In the EU, this effectiveness is strengthened by the requirement for DPAs to be independent of any political, governmental or other influence (Article 16(2) of the Treaty on the Functioning of the EU (TFEU) and Article 8(3) of the EU Charter of Fundamental Rights).  Furthermore, good cooperation between DPAs ensures greater consistency of data protection in the EU.  The European Data Protection Supervisor (EDPS) is an independent supervisory authority responsible for ensuring that EU institutions and bodies comply with data protection law when processing personal data. 34
Restrictions to the application of GDPR  In the EU, privacy and data protection are not absolute rights and can be limited under certain conditions according to the EU Charter of Fundamental Rights.  The rights to privacy and data protection may need to be balanced against other EU values, human rights, or public and private interests such as the fundamental rights to freedom of expression, freedom of press or freedom of access to information.  The rights to privacy and data protection may also need to be weighed up against other public interests, such as national security.  The GDPR is not applicable if data are used for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.  Data protection authorities ensure this balance between privacy and other interests. 35

More Related Content

PPTX
GDPR Introduction and overview
byJane Lambert
 
PPTX
GDPR Enforcement is here. Are you ready?
bySecurityScorecard
 
PDF
General Data Protection Regulation (GDPR) for Identity Architects
byWSO2
 
PDF
Guide to-the-general-data-protection-regulation
byN N
 
PPTX
GDPR - New European Union Legislation
byTekwill
 
PDF
Engage 2018: GDPR Three Days To Go
bypanagenda
 
PPTX
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
byHarrison Clark Rickerbys
 
PDF
Webinar: An EU regulation affecting companies worldwide - GDPR
bypanagenda
 
GDPR Introduction and overview
byJane Lambert
 
GDPR Enforcement is here. Are you ready?
bySecurityScorecard
 
General Data Protection Regulation (GDPR) for Identity Architects
byWSO2
 
Guide to-the-general-data-protection-regulation
byN N
 
GDPR - New European Union Legislation
byTekwill
 
Engage 2018: GDPR Three Days To Go
bypanagenda
 
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
byHarrison Clark Rickerbys
 
Webinar: An EU regulation affecting companies worldwide - GDPR
bypanagenda
 

Similar to On GDPR - Regulation on Personal Data Protection

PPTX
My presentation- Ala about privacy and GDPR
byzayadeen2003
 
PPTX
Gdpr presentation
bySudarsan Reddy
 
PPTX
The General Data Protection Regulation ("GDPR")
byParsons Behle & Latimer
 
PPTX
An Overview of GDPR
byThe Pathway Group
 
PPTX
2017 09 13_VOKA The Big Refresh - GDPR - IFORI
byKarel Holst
 
PPTX
General Data Protection Regulation (GDPR)
byExtentia Information Technology
 
PDF
Introduction to EU General Data Protection Regulation: Planning, Implementati...
byFinancial Poise
 
PDF
Introduction to EU General Data Protection Regulation: Planning, Implementat...
byFinancial Poise
 
PDF
GDPR for public sector DPO's seminar, April 2018, Manchester
byBrowne Jacobson LLP
 
PPTX
Introduction to GDPR
byPriyab Satoshi
 
PDF
GDPR Demystified
bySPIN Chennai
 
PDF
An Overview of GDPR by Pathway Group
byThe Pathway Group
 
PDF
mHealth Israel_EU General Data Protection Regulation_Simon Marks
byLevi Shapiro
 
PPTX
GDPR Breakfast Briefing for Business Advisors
byHarrison Clark Rickerbys
 
PDF
Browne Jacobson - Administrative and public law - October 2017
byBrowne Jacobson LLP
 
PPTX
GDPR presentation BE-Com - IFORI
byKarel Holst
 
PPTX
What is the General Data Protection Regulation (GDPR)?
byTAG Alliances
 
PDF
Magento checklist AVG / GDPR - Algemene Verordering Gegevensbescherming
byErwin Otten
 
PDF
Public sector breakfast club, October 2016, Exeter
byBrowne Jacobson LLP
 
PPTX
An Introduction to the General Data Protection Regulation (GDPR)
byBright
 
My presentation- Ala about privacy and GDPR
byzayadeen2003
 
Gdpr presentation
bySudarsan Reddy
 
The General Data Protection Regulation ("GDPR")
byParsons Behle & Latimer
 
An Overview of GDPR
byThe Pathway Group
 
2017 09 13_VOKA The Big Refresh - GDPR - IFORI
byKarel Holst
 
General Data Protection Regulation (GDPR)
byExtentia Information Technology
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
byFinancial Poise
 
Introduction to EU General Data Protection Regulation: Planning, Implementat...
byFinancial Poise
 
GDPR for public sector DPO's seminar, April 2018, Manchester
byBrowne Jacobson LLP
 
Introduction to GDPR
byPriyab Satoshi
 
GDPR Demystified
bySPIN Chennai
 
An Overview of GDPR by Pathway Group
byThe Pathway Group
 
mHealth Israel_EU General Data Protection Regulation_Simon Marks
byLevi Shapiro
 
GDPR Breakfast Briefing for Business Advisors
byHarrison Clark Rickerbys
 
Browne Jacobson - Administrative and public law - October 2017
byBrowne Jacobson LLP
 
GDPR presentation BE-Com - IFORI
byKarel Holst
 
What is the General Data Protection Regulation (GDPR)?
byTAG Alliances
 
Magento checklist AVG / GDPR - Algemene Verordering Gegevensbescherming
byErwin Otten
 
Public sector breakfast club, October 2016, Exeter
byBrowne Jacobson LLP
 
An Introduction to the General Data Protection Regulation (GDPR)
byBright
 

More from Aldo939112

PPT
overview of the data protection act.ppt
byAldo939112
 
PDF
Problem-Framing-Canvas-Handbook.pdf
byAldo939112
 
PDF
PIZZASMILE.pdf
byAldo939112
 
PPT
Executive Health and Wellness presentation
byAldo939112
 
PPT
Why Brisk Walking - Powerpoint Presentation
byAldo939112
 
PPTX
2023 Midwest KM Symposium Jim Clarke.pptx
byAldo939112
 
overview of the data protection act.ppt
byAldo939112
 
Problem-Framing-Canvas-Handbook.pdf
byAldo939112
 
PIZZASMILE.pdf
byAldo939112
 
Executive Health and Wellness presentation
byAldo939112
 
Why Brisk Walking - Powerpoint Presentation
byAldo939112
 
2023 Midwest KM Symposium Jim Clarke.pptx
byAldo939112
 

Recently uploaded

PPTX
Ultimate Guide: Drug Charges, Defence & Legal Help from Kolinsky Law
byKolinsky Law
 
PDF
Tehseen-S.-Poonawala-vs.-Union-of-India-1.pdf
bysabranghindi
 
PPTX
Introduction to Criminal Procedure (1).pptx
byowen861314
 
PPT
Investment law power point Investment law power point
byyeabsirasemu
 
PPTX
Patent Overview and Inventive Approaches
byLarry Baratta
 
PPTX
Remedies for Maladministration for university
byowen861314
 
PPTX
Refusing-a-Breathalyzer-Is-It-Worse-Than-Failing-One-in-Alberta.pptx
byKolinsky Law
 
PPTX
Unit- 4: Promise and Contracts a. Meaning and definitions of ‗Promise‘ and ...
byVenkateshGaikwad2
 
PPTX
nit-5: Freedoms and Social Control: Freedom of speech and expression. Freedom...
byVenkateshGaikwad2
 
PDF
Business Law Advisors of the American Bar Association
byMartin Milita
 
PDF
From Prosecutor to Protector: The Unique Advantage of Dual-Sided Experience
byGroverArnett1
 
PDF
Privity of contract - Exceptions to the rule.pdf
byraghuveersemail
 
PDF
A Brief Introduction About Michael Dyce
byMichael Dyce
 
PPTX
A Short presentation on Domestic Violence
bysscrock07
 
PDF
Syphoning funds form IDB into Mientakevitch family former Israel Bank discoun...
byHaim R. Branisteanu
 
PDF
Parasram-Ji-v.-Imtiaz.pdf The judgment in Parasram Ji v. Imtiaz, can be read ...
bysabranghindi
 
PDF
noor-jahan-vs-state-of-uttarakhand-high-court-628855.pdf
bysabranghindi
 
PDF
THE NEW PROOF1.pdf The the Proof of Kkkplan Az a Liar1
byLeonid Ledata
 
PDF
Essential Business Contracts Every Entrepreneur Should Know.pdf
byEntrepreneurial Law Advisors
 
DOCX
Photograps after second fire done to my apartment by an arsonist
byHaim R. Branisteanu
 
Ultimate Guide: Drug Charges, Defence & Legal Help from Kolinsky Law
byKolinsky Law
 
Tehseen-S.-Poonawala-vs.-Union-of-India-1.pdf
bysabranghindi
 
Introduction to Criminal Procedure (1).pptx
byowen861314
 
Investment law power point Investment law power point
byyeabsirasemu
 
Patent Overview and Inventive Approaches
byLarry Baratta
 
Remedies for Maladministration for university
byowen861314
 
Refusing-a-Breathalyzer-Is-It-Worse-Than-Failing-One-in-Alberta.pptx
byKolinsky Law
 
Unit- 4: Promise and Contracts a. Meaning and definitions of ‗Promise‘ and ...
byVenkateshGaikwad2
 
nit-5: Freedoms and Social Control: Freedom of speech and expression. Freedom...
byVenkateshGaikwad2
 
Business Law Advisors of the American Bar Association
byMartin Milita
 
From Prosecutor to Protector: The Unique Advantage of Dual-Sided Experience
byGroverArnett1
 
Privity of contract - Exceptions to the rule.pdf
byraghuveersemail
 
A Brief Introduction About Michael Dyce
byMichael Dyce
 
A Short presentation on Domestic Violence
bysscrock07
 
Syphoning funds form IDB into Mientakevitch family former Israel Bank discoun...
byHaim R. Branisteanu
 
Parasram-Ji-v.-Imtiaz.pdf The judgment in Parasram Ji v. Imtiaz, can be read ...
bysabranghindi
 
noor-jahan-vs-state-of-uttarakhand-high-court-628855.pdf
bysabranghindi
 
THE NEW PROOF1.pdf The the Proof of Kkkplan Az a Liar1
byLeonid Ledata
 
Essential Business Contracts Every Entrepreneur Should Know.pdf
byEntrepreneurial Law Advisors
 
Photograps after second fire done to my apartment by an arsonist
byHaim R. Branisteanu
 

On GDPR - Regulation on Personal Data Protection

  • 1.
    Biomedical Wearable Technologies forHealthcare and Wellbeing A.Y. 2021-2022 Martina Vettoretti UNIVERSITY OF PADOVA DEPARTMENT OF INFORMATION ENGINEERING Regulation on data protection
  • 2.
    Privacy  Privacy: theright to a private life, to be autonomous, in control of information about yourself, to be let alone.  Almost every country in the world recognises privacy in some way.  Moreover, privacy is recognised as a universal human right.  Universal Declaration of Human Rights (Article 12)  European Convention of Human Rights (Article 8)  European Charter of Fundamental Rights (Article 7). 2
  • 3.
    Data protection  Dataprotection has precise aims to ensure the fair processing (collection, use, storage) of personal data by both the public and private sectors.  Personal data: any information relating to an identified or identifiable natural (living) person  An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, etc.  Examples of personal data:  Names, dates of birth, photographs, email addresses and telephone numbers  IP addresses and communications content - related to or provided by end-users of communications services - are also considered personal data.  The European Charter of Fundamental Rights (Article 8) contains an explicit right to the protection of personal data. 3
  • 4.
    Data protection regulation:GDPR  In April 2016, the EU adopted a new regulation for data protection: the General Data Protection Regulation (GDPR).  Fully applicable across the EU in May 2018, the GDPR is the most comprehensive and progressive piece of data protection legislation in the world.  The GDPR also applies to organisations or companies not established in the EU who offer goods and services to individuals in the EU or monitor their behaviour.  Globally, there is an increasing growth in data protection laws. Many of these laws are strongly influenced by the EU rules, which have long been considered the gold standard in data protection law.  In EU, each member state has adopted a national regulation on data protection that is compliant with the GDPR.  Italian law: DECRETO LEGISLATIVO 10 agosto 2018, n. 101. Disposizioni per l'adeguamento della normativa nazionale alle disposizioni del regolamento (UE) 2016/679 del Parlamento europeo e del Consiglio, del 27 aprile 2016, relativo alla protezione delle persone fisiche con riguardo al trattamento dei dati personali, nonchè alla libera circolazione di tali dati e che abroga la direttiva 95/46/CE (regolamento generale sulla protezione dei dati). 4
  • 5.
    Data protection regulation:GDPR  The GDPR substituted the 1995 Data Protection Directive which was adopted at a time when there was no massive use of the Internet.  Over the last 25 years, technology has transformed our lives in ways nobody could have imagined so a review of the rules was needed.  The GDPR reinforces a wide range of existing rights and establishes new ones for individuals, including the right to erasure (right to be forgotten).  You can request that an organisation delete your personal data, for instance if your data are no longer necessary for the purposes for which they were collected or if you want to withdrawn your consent to the processing of your data. 5
  • 6.
    Living and deadindividuals  The GDPR only applies to the personal data which relates to an identifiable living individual.  Information relating to a dead person is not subject to the GDPR.  Single member states are allowed to define their own rules for the protection of dead people.  Italy has extended the application of the GDPR to dead people with the regulation Decreto Legislativo 101/2018. 6
  • 7.
    Data controllers andprocessor  Data subject: the person whose personal data are collected, held or processed.  Data controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.  The controller is responsible for the lawfulness of the processing, for the protection of the data, and respecting the rights of the data subject. The controller is also the entity that receives requests from data subjects to exercise their rights.  The actual processing may be delegated to another party, called the data processor.  Data processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.  The processor only acts "on behalf of the controller" and thus only subject to his instructions.  The processor may choose not to process the data himself, but may have recourse to a subcontractor who processes the data on his behalf.  Recipient: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed. 7
  • 8.
    GDPR: seven mainprinciples  Lawfulness, fairness and transparency: Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.  Identify valid grounds under GDPR (known as a ‘lawful basis’) for collecting and using personal data.  Purpose limitation: Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.  Purposes for processing must be clear from the start  Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes are not considered to be incompatible with the initial purposes  Data minimisation: Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. 8
  • 9.
    GDPR: seven mainprinciples  Accuracy: personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.  Storage limitation: personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.  personal data may be stored for longer periods only if data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.  Integrity and confidentiality: Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational security measures.  Accountability: The controller shall be responsible for, and be able to demonstrate compliance with the principles of the GDPR. 9
  • 10.
    Lawful basis fordata processing under GDPR  The processing of personal data is lawful if at least one of the following applies:  Consent: the data subject has given clear consent for you to process his or her personal data for a specific purpose.  Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.  Legal obligation: the processing is necessary to comply with a legal obligation to which the controller is subject.  Vital interests: the processing is necessary to protect someone’s life.  Public task: the processing is necessary for performing a task in the public interest or in the exercise of an official authority acting as a controller.  Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.  Data controllers and processors are required to provide information about the lawful basis for processing usually through a privacy notice. 10
  • 11.
    Consent  When thelawful basis for processing personal data is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.  Consent is defined as any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.  The request for consent shall be presented in a manner which is clear, in an intelligible and easily accessible form, using plain language.  The data subject shall have the right to withdraw his or her consent at any time.  It shall be as easy to withdraw as to give consent. 11
  • 12.
    Information to beprovided before personal data collection  When personal data relating to a data subject are collected from the data subject, prior to data collection, the controller shall provide the data subject with all of the following information:  the identity and the contact details of the controller and, where applicable, of the controller's representative;  the contact details of the data protection officer, where applicable;  the categories of personal data concerned;  the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;  when the processing is based on legitimate interests, these must be specified;  the recipients or categories of recipients of the personal data, if any;  where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the European Commission. 12
  • 13.
    Information to beprovided before personal data collection  The following further information necessary to ensure fair and transparent processing must also be provided:  the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;  the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing;  the existence of the right to withdraw consent at any time;  the right to raise a complaint with a supervisory authority;  whether the provision of personal data is a statutory or contractual requirement, the possible consequences of failure to provide such data;  the existence of automated decision-making, including profiling, and meaningful information about the logic involved and the consequences of such profiling. 13
  • 14.
    Secondary use ofthe personal data  Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected (secondary use of the data), the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information. 14
  • 15.
    Informed consent formfor participating in a research trial  If you are planning to conduct a research trial in which you collect some personal data, each participant must provide an explicit consent by which they agree with you processing their data for the purpose of the research.  Information sheet: document to share the information of the research trial.  Consent form: form by which the subject provide the consent and agree to participate in the study. 15
  • 16.
    Example of aninformation sheet template 16
  • 17.
    Example of aconsent form template 17
  • 18.
    Websites using cookiesand GDPR  HTTP cookies are small blocks of data created by a web server while a user is browsing a website and placed on the user's computer or other device by the user's web browser.  Cookies serve some crucial functions of browsers (e.g. to track the session state).  However, cookies can store a wealth of data, enough to potentially identify the user without his/her consent.  Cookies are the primary tool that advertisers use to track users’ online activity so that they can target them with highly specific advertisements.  Given the amount of data that cookies can contain, they can be considered personal data in certain circumstances and, therefore, subject to the GDPR.  Compliance with the GDPR imposes that Web servers using cookies must:  receive users’ consent before using any cookies except those that are strictly necessary;  provide accurate and specific information about the data each cookie tracks and its purpose in plain language before consent is received;  document and store consent received from users;  allow users to access the service even if they refuse to allow the use of certain cookies;  make it as easy for users to withdraw their consent as it was for them to give their consent in the first place. 18
  • 19.
    Example of aninformed consent form for the use of cookies 19
  • 20.
    Special categories ofpersonal data (Art 9) Personal data revealing:  racial or ethnic origin  political opinions  religious or philosophical beliefs  trade union membership;  data concerning physical or mental health  data concerning sexual life or sexual orientation.  processing of genetic data or biometric data (physical, physiological or behavioural characteristics which allow or confirm the unique identification of a person) for the purpose of uniquely identifying a person; The processing of these kind of data shall be prohibited. 20
  • 21.
    Conditions for useof special categories of personal data Exceptions in which special personal data can be processed:  the data subject has given explicit consent to the processing of those personal data for one or more specified purposes;  processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject;  processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;  Processing is done within an organization for legitimate purposes, solely for members of the organization, and data are not disclosed outside the organization without the consent of the data subject;  Processing relates to personal data which are manifestly made public by the data subject;  … 21
  • 22.
    Conditions for useof special categories of personal data  …  processing is necessary for the establishment, exercise or defence of legal claims;  processing is necessary for reasons of substantial public interest  processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems;  processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health;  processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purpose. 22
  • 23.
    Other notes onpersonal data  Research organisations that hold and use special categories of personal data must ensure that they have a lawful basis to hold and use personal data and to hold and use special categories of personal data.  Information which has had identifiers removed or replaced in order to pseudonymise the data is still personal data for the purposes of GDPR.  Information which is truly anonymous is not covered by the GDPR.  If information that seems to relate to a particular individual is inaccurate (i.e. is factually incorrect or is about a different individual), the information is still personal data, as it relates to that individual. 23
  • 24.
    Pseudonymised data  Pseudonymisationis a technique that replaces or removes information in a data set that identifies an individual.  The GDPR defines pseudonymisation as: “…the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.”  Pseudonymisation may involve replacing names or other identifiers which are easily attributed to individuals with, for example, a unique identifier.  The data controller can still match the unique identifier to the individual entity having access to the relevant information;  Technical and organisational measures are put in place to ensure that this additional information is held separately and no one apart the authorized people can retrieve it.  Pseudonymising personal data help protecting the privacy of subjects’ identity.  However, pseudonymisation does not change the status of the data as personal data. 24
  • 25.
    Anonymised data  TheGDPR does not apply to personal data that has been anonymised.  “…The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.”  In order to be truly anonymised under the GDPR, personal data must be stripped of sufficient elements that mean the individual can no longer be identified.  If at any point reasonably available means can be used to re-identify individuals to which the data refers, data will not have been effectively anonymised but will have merely been pseudonymised.  This means that despite attempts at anonymisation processing of personal data continues and is covered by GDPR. 25
  • 26.
    Data subjects rightsunder GDPR  The right to be informed  Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.  The right of access  Individuals have the right to access and receive a copy of their personal data, and other supplementary information, including the purpose and period of processing.  The right to rectification  The GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete.  The right to erasure (‘right to be forgotten’)  The GDPR introduces a right for individuals to have personal data erased. 26
  • 27.
    Data subjects rightsunder GDPR  The right to restrict processing  Individuals have the right to request the restriction or suppression of their personal data. When processing is restricted, the controller is permitted to store the personal data, but not use it.  The right to data portability  Individuals can obtain and reuse their personal data for their own purposes across different services. Subjects can move, copy or transfer personal data easily to another controller.  The right to object  The GDPR gives individuals the right to object to the processing of their personal data in certain circumstances 27
  • 28.
    Data subjects rightsunder GDPR  Rights in relation to automated decision making and profiling.  The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.  Profiling: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. 28
  • 29.
    Data protection bydesign and by default  Data protection by design: the controller shall implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.  Data protection by default:  The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.  Such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons. 29
  • 30.
    Records of processingactivities: controller Each controller shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:  name and contact details of the controller;  purpose of processing;  the categories of data subjects and the categories of personal data;  the categories of recipients to whom the personal data have been or will be disclosed;  where applicable, transfers of personal data to a third country;  where possible, the envisaged time limits for erasure of the different categories of data;  where possible, a general description of the technical and organisational security measures adopted. 30
  • 31.
    Records of processingactivities: processor Each processor shall maintain a record of processing activities carried out on behalf of the controller. That record shall contain all of the following information:  name and contact details of the processor and of the controller;  the categories of processing carried out;  where applicable, transfers of personal data to a third country;  where possible, a general description of the technical and organisational security measures adopted. 31
  • 32.
    Security measures  Thecontroller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:  the pseudonymisation and encryption of personal data;  the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;  the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;  a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. 32
  • 33.
    Data protection officer(DPO)  The controller and the processor shall designate a data protection officer when:  the processing is carried out by a public authority or body;  the processing operations require regular and systematic monitoring of data subjects on a large scale;  the processing involve the processing on a large scale of the special categories of data pursuant to Article 9.  The DPO shall be an expert in data protection regulation and practices.  Tasks of the DPO:  to inform and advise the controller or the processor and the employees who carry out processing of their obligations according to the GDPR  To monitor the compliance with GDPR  to provide advice where requested as regards the data protection  To cooperate with data protection authorities  To act a contact point between the controller, the processor and the data protection authorities. 33
  • 34.
    Data protection authorities In most countries, national Data Protection Authorities (DPAs) or Regulators have been established to be the guardians of data protection.  The Italian one is: Garante per la protezione dei dati personali (http://www.garanteprivacy.it/)  For the enforcement of data protection laws to be effective, DPAs are given the power to investigate, detect and punish violations as well as the responsibility to raise awareness of data protection rights and obligations in general.  In the EU, this effectiveness is strengthened by the requirement for DPAs to be independent of any political, governmental or other influence (Article 16(2) of the Treaty on the Functioning of the EU (TFEU) and Article 8(3) of the EU Charter of Fundamental Rights).  Furthermore, good cooperation between DPAs ensures greater consistency of data protection in the EU.  The European Data Protection Supervisor (EDPS) is an independent supervisory authority responsible for ensuring that EU institutions and bodies comply with data protection law when processing personal data. 34
  • 35.
    Restrictions to theapplication of GDPR  In the EU, privacy and data protection are not absolute rights and can be limited under certain conditions according to the EU Charter of Fundamental Rights.  The rights to privacy and data protection may need to be balanced against other EU values, human rights, or public and private interests such as the fundamental rights to freedom of expression, freedom of press or freedom of access to information.  The rights to privacy and data protection may also need to be weighed up against other public interests, such as national security.  The GDPR is not applicable if data are used for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.  Data protection authorities ensure this balance between privacy and other interests. 35