Weitere ähnliche Inhalte Ähnlich wie 2018 02 20 GDPR SEMINAR - Gemeente Sint-Martens-Latem (20) Kürzlich hochgeladen (20) 2018 02 20 GDPR SEMINAR - Gemeente Sint-Martens-Latem3. Presented by: Karel Holst
Legal Counsel – DPO
karel.holst@ifori.be
Blog: www.gdprexpert.be
THE GENERAL DATA PROTECTION REGULATION - GDPR
Legal Perspective
DE ALGEMENE VERORDENING GEGEVENSBESCHERMING - AVG
4. 4
I. Data Protection – Overview
II. GDPR – Key
changes/obligations
III.Conclusion – Action plan
Contents
6. 6© 2018 IFORI – All rights reserved
Fundamental Rights
EU Charter of Fundamental Rights,
article 8(1):
“Everyone has the right to the
protection of personal data
concerning him or her.”
The Universal Declaration of Human
Rights, article 12:
“No one shall be subjected to
arbitrary interference with his
privacy, family, home or
correspondence, nor to attacks upon
his honour and reputation. Everyone
has the right to the protection of the
law against such interference or
attacks.”
7. 7© 2018 IFORI – All rights reserved
Why a new overriding Regulation?
Directive 95/46/EC sought to harmonize national legislations and ensure
free flow of data within the EU
But:
– Still differences in national implementation and application
– Limited cooperation between Data Protection Authorities (‘DPA’)
– Many technological & societal changes in the 20 years since Dir. 95/45/EC
– Strengthen Data Subject's rights
8. 8© 2018 IFORI – All rights reserved
Personal Data are everywhere!
“Any information relating to an identified or identifiable natural person”
E.g. Name, location data, IP-address, customer number, …
Stricter rules for special categories of Personal Data (general prohibition)
‒ Racial or ethnic origin
‒ Political options
‒ Genetic and biometric data, solely for identification purposes
‒ Health data
‒ …
Personal Data
9. 9© 2018 IFORI – All rights reserved
The processing of personal data wholly or partly by automated means
AND
manual processing if the personal data form part of a filing system or are
intended to form part of a filing system
Processing: any operation or set of operations which is performed on
personal data or on sets of personal data
E.g. collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use,
disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction,
erasure or destruction
Scope of Processing
10. 10© 2018 IFORI – All rights reserved
Processing
Personal Data
e.g. Customer Data
‒ Name
‒ Date of birth
‒ Address
‒ …
Controller
Determines the purposes
and the manner of the
processing
e.g. IFORI
For marketing purposes,
through an online registration
form
Data Subject Processor
Separate legal
entity
processes on
behalf of the
Controller
e.g. Marketer
carries out mail
marketing
12. 12© 2018 IFORI – All rights reserved
Main objective
Ensure the right of an individual to make his own decisions regarding the
information that relates to him.
Principles of processing:
‒ Fair, lawful and transparent
‒ Purpose limitation
‒ Data minimization
‒ Accuracy
‒ Storage limitation
‒ Integrity and confidentiality
+ Accountability
14. 14© 2018 IFORI – All rights reserved
I. Territorial Scope
The GDPR applies when:
‒ Processing in the context of activities of an establishment in the EU
‒ When the data subjects are located in the EU, and the processing is
related to:
• Offering goods or services
• Monitoring of their behavior (in the EU)
15. 15© 2018 IFORI – All rights reserved
II. Lawfulness
A valid legal basis to process the data is required:
‒ Consent
‒ Necessary for the performance of a contract
‒ Legitimate interests
16. 16
– Freely given, specific, informed and unambiguous
– It must be given by a statement or a clear
affirmative action (thus opt-out NOT possible)
– Proof of consent to be provided by Controller
– Withdrawable
– Obtained separately
– Children: when offering information society
services, processing is only lawful where the child
is at least 16 years old. Younger = consent by
holder of parental responsibility
Consent
18. 18
― Pursued by the controller
― Balance: interests /
fundamental rights and
freedoms of the data
subject
Legitimate interests
19. 19© 2018 IFORI – All rights reserved
III. Rights of the data subject
Transparency
Access
Rectify
Erasure (right to be forgotten)
Restriction
Portability
Object
Not be subject to automated decision making (profiling)
20. 20© 2018 IFORI – All rights reserved
IV. Controllers and Processors
Controllers
‒ Privacy by default & design
‒ Records (Notification)
• Not where <250 employees, unless high risk
• Including general description of security measures
‒ Data breach notification
‒ Privacy Impact Assessment(PIA)/Prior consultation of DPA
‒ Choose appropriate processors ( ) – Processing Agreements
‒ Data Protection Officer (DPO)
‒ Data security
21. 21
Data Breach Notification
Obligation to document all breaches
To Data Protection Authority (DPA)
– 72h deadline
– Specific information
– Documentation
To data subject
– High risk to rights and freedoms
– Clear and plain language
– Exceptions
22. Data Protection Officer (DPO)
When?
‒ Public authority or body
‒ Regular and systematic monitoring of data subjects on a large scale
‒ Processing of special categories of data on a large scale
Tasks?
‒ Inform and advise on the obligations pursuant the GDPR
‒ Monitor compliance
‒ Advise on draft of PIA
‒ Cooperate with DPA
‒ External contact
Who?
23. Data Security
Ensure confidentiality, integrity, availability, resilience
By implementing appropriate technical and organizational measures
Risk based approach (the state of the art, the costs of implementation, …)
– Encryption/Pseudonymisation
– Audits
– Back-up and redundancy
24. 24© 2018 IFORI – All rights reserved
Processors
‒ Comply with specific obligations
• Records
• Data Security
• PIA/DPO
• Breach notification to Controller
‒ Directly liable
IV. Controllers and Processors
25. 25© 2018 IFORI – All rights reserved
V. Transfers
General prohibition on transfers outside EEA (28+3)
– Adequacy Decision
• White list
• EU-U.S. Privacy Shield
– Appropriate Safeguards
• Model Clauses (EC/DPA/Ad hoc)
• Binding Corporate rules
• Codes of conduct/ Certification
– Derogations (e.g. explicit consent)
27. 27© 2018 IFORI – All rights reserved
VI. Sanctions
Administrative Fines by DPA: effective, proportionate & dissuasive
– Up to, the greater of €20.000.000 or 4% of total worldwide annual turnover
of an undertaking
Private claims by data subjects
– DPA
– Courts for compensation from Controller or Processor
Criminal penalties possible where provided by member states
28. 28© 2018 IFORI – All rights reserved
Advantages of GDPR
• Reduction of administrative burdens & costs
• More legal certainty
• Same rules within EU
• Easier to transfer personal data
• One-Stop-Shop
30. 30© 2018 IFORI – All rights reserved
1. DPO(?) - Project team
2. Awareness
3. Register
4. Information Security (IT)
5. Processing Agreements
From here: Implement the other GDPR obligations
Where to start?
31. 31
Your contact details
For each processing activity:
• purposes;
• categories of data subjects & personal
data;
• the categories of recipients;
• transfers to a third country + safeguards;
• retention period;
• description of security measures.
Article 30 GDPR
Register
WHO
ProcessingActivity Purposes Categoriesof Subjects Categoriesof PD Specific
Sourc
e
Legal Ground Retention Storage Measures Receivers
Outsid
e EEA
Measures
Identificatiegegevens
naam, voornaam,
leeftijd, docmilie
en verblijf
Uitvoering AO Onbeperkt Papier/AD
MB-
tool/Mailb
ox
Informatieveiligheids
beleid
AMNB N/A N/A
Opleiding envorming
CV's, opleidingen,
certificering
(clarck),
vakbekwaamheid
Uitvoering AO Onbeperkt Papier/AD
MB-
tool/Volta
(federatie
Informatieveiligheids
beleid
ADMB N/A N/A
Interims/Vakantiejobber Identificatiegegevens
naam, contract,
adres,
rijksregisternumm
er,
Uitvoering AO Onbeperkt Mailbox/
contract
papier
Informatieveiligheids
beleid
Interimkantoor N/A N/A
Opleiding en
vorming/Beroep en
betrekking
CV Uitvoering AO Onbeperkt Mailbox Informatieveiligheids
beleid
N/A N/A N/A
Identificatiegegevens
email/naam Uitvoering AO Onbeperkt mailbox Informatieveiligheids
beleid
N/A N/A N/A
Maaltijdcheques Huidigpersoneel identificatiegegevens
naam,
rijksregisternumm
er
Uitvoering AO Onbeperkt Edenred Informatieveiligheids
beleid
Edenred N/A N/A
Werkplanning Huidigpersoneel Organisatie vanhetwerk
Verlof Uitvoering AO Onbeperkt ADMB Informatieveiligheids
beleid
N/A N/A N/A
Leveranciersadministratie Leveranciersbeheer Contacten bij leveranciers Identificatiegegevens
naam, email,
telefoon, adres
Uitvoering CT Onbeperkt CRM Informatieveiligheids
beleid
CloudCRM N/A N/A
B2C: webshop identificatiegegevens
zie webshop Uitvoering CT Onbeperkt CRM Informatieveiligheids
beleid
N/A N/A N/A
Werknemers identificatiegegevens
zie webshop Uitvoering CT Onbeperkt Excel +
CRM
Informatieveiligheids
beleid
Microsoft
(Onedrive)
VS Model
Clauses
Invoicing identificatiesgegevens
user-id Uitvoering CT Onbeperkt EVA
Online
Informatieveiligheids
beleid
Boekhouder/Ev
aOnline
N/A N/A
Boekhouding identificatiegevens
naam, email,
adres
Uitvoering CT Onbeperkt EVA
Online
Informatieveiligheids
beleid
Boekhouder/Ev
aOnline
N/A N/A
Email marketing Klanten Identificatiegegevens
emailadres Toestemming Onbeperkt CRM Informatieveiligheids
beleid
Mailchimp N/A N/A
Telemarketing contactgegevens identificatiegegevens
telefoonnummer Legitiem
Belang
Onbeperkt CRM Informatieveiligheids
beleid
Yello/Trendstop N/A N/A
Bezoekersadministratie Bezoekers
Elektronische
identificatiegegevens
IP-adres Legitiem
Belang
Onbeperkt Cloud CRM Informatieveiligheids
beleid
CloudCRM,
Google
Analytics
VS Model
Clauses/P
rivacy
Contactformulier Bezoekers contactgegevens
Naam, email,
vraag
Toestemming Onbeperkt Cloud CRM Informatieveiligheids
beleid
CloudCRM N/A N/A
Camerabewaking Bewaking Bezokers Afbeeldingen
Video Toestemming
(sticker)
31dagen On
premisse
server
Informatieveiligheids
beleid
N/A N/A N/A
HR
Marketing
Klantenbeheer
Website
Records of processing activities Company XYZ
TRANSFER
Boekhouding
WHERE
Klantenadministratie
WHY WHAT
Beheer van personeel
(Selectie/verwerving)
Sollicitanten
Personeeladministratie
Huidigpersoneel/Oud
personeel/Leercontract
Klanten
32. 32
WHO
Processing Activity Purposes Categories of Subjects Categories of PD Specific
Sourc
e
Legal Ground Retention Storage Measures Receivers
Outsid
e EEA
Measures
Identificatiegegevens
naam, voornaam,
leeftijd, docmilie
en verblijf
Uitvoering AO Onbeperkt Papier/AD
MB-
tool/Mailb
ox
Informatieveiligheids
beleid
AMNB N/A N/A
Opleiding en vorming
CV's, opleidingen,
certificering
(clarck),
vakbekwaamheid
Uitvoering AO Onbeperkt Papier/AD
MB-
tool/Volta
(federatie
Informatieveiligheids
beleid
ADMB N/A N/A
Interims/Vakantiejobber Identificatiegegevens
naam, contract,
adres,
rijksregisternumm
er,
Uitvoering AO Onbeperkt Mailbox/
contract
papier
Informatieveiligheids
beleid
Interimkantoor N/A N/A
Opleiding en
vorming/Beroep en
betrekking
CV Uitvoering AO Onbeperkt Mailbox Informatieveiligheids
beleid
N/A N/A N/A
Identificatiegegevens
email/naam Uitvoering AO Onbeperkt mailbox Informatieveiligheids
beleid
N/A N/A N/A
Maaltijdcheques Huidig personeel identificatiegegevens
naam,
rijksregisternumm
er
Uitvoering AO Onbeperkt Edenred Informatieveiligheids
beleid
Edenred N/A N/A
Werkplanning Huidig personeel Organisatie van het werk
Verlof Uitvoering AO Onbeperkt ADMB Informatieveiligheids
beleid
N/A N/A N/A
Leveranciersadministratie Leveranciersbeheer Contacten bij leveranciers Identificatiegegevens
naam, email,
telefoon, adres
Uitvoering CT Onbeperkt CRM Informatieveiligheids
beleid
Cloud CRM N/A N/A
B2C: webshop identificatiegegevens
zie webshop Uitvoering CT Onbeperkt CRM Informatieveiligheids
beleid
N/A N/A N/A
Werknemers identificatiegegevens
zie webshop Uitvoering CT Onbeperkt Excel +
CRM
Informatieveiligheids
beleid
Microsoft
(Onedrive)
VS Model
Clauses
Invoicing identificatiesgegevens
user-id Uitvoering CT Onbeperkt EVA
Online
Informatieveiligheids
beleid
Boekhouder/Ev
a Online
N/A N/A
Boekhouding identificatiegevens
naam, email,
adres
Uitvoering CT Onbeperkt EVA
Online
Informatieveiligheids
beleid
Boekhouder/Ev
a Online
N/A N/A
Email marketing Klanten Identificatiegegevens
emailadres Toestemming Onbeperkt CRM Informatieveiligheids
beleid
Mailchimp N/A N/A
Telemarketing contactgegevens identificatiegegevens
telefoonnummer Legitiem
Belang
Onbeperkt CRM Informatieveiligheids
beleid
Yello/Trendstop N/A N/A
Bezoekersadministratie Bezoekers
Elektronische
identificatiegegevens
IP-adres Legitiem
Belang
Onbeperkt Cloud CRM Informatieveiligheids
beleid
Cloud CRM,
Google
Analytics
VS Model
Clauses/P
rivacy
Contactformulier Bezoekers contactgegevens
Naam, email,
vraag
Toestemming Onbeperkt Cloud CRM Informatieveiligheids
beleid
Cloud CRM N/A N/A
Camerabewaking Bewaking Bezokers Afbeeldingen
Video Toestemming
(sticker)
31 dagen On
premisse
server
Informatieveiligheids
beleid
N/A N/A N/A
HR
Marketing
Klantenbeheer
Website
Records of processing activities Company XYZ
TRANSFER
Boekhouding
WHERE
Klantenadministratie
WHY WHAT
Beheer van personeel
(Selectie/verwerving)
Sollicitanten
Personeeladministratie
Huidig personeel/Oud
personeel/Leercontract
Klanten
34. 34© 2018 IFORI – All rights reserved
Take Action
Not everything has changed, just as not everything has been harmonized
New obligations but also removal of some administrative burdens and
further guidance
(New) technologies introduce new compliance risks, but technologies can
also be used to mitigate risk and/or ensure compliance
Take action now!
GDPR applies from 25 May 2018
35. Victor Braeckmanlaan 107
9040 Gent, Belgium
Tel: +32 9 230 36 62
Fax: +32 9 231 63 71
E-mail: info@ifori.be
IFORI BVBA
RPR: 472.073.759 (Gent)
BTW: BE 472.073.759
IBAN: BE14 0689 0654 8283
BIC: GKCCBEBB
Thank you
Questions?
WWW.IFORI.BE
WWW.GDPREXPERT.BE
Presentation available online: www.gdprexpert.be/gdprblog
37. 37© 2018 IFORI – All rights reserved
Directive on privacy and electronic communications - Telecoms Law (Be)
– Information
– Consent
GDPR
– Processing of personal data
‒ Controller: You/Third party cookie provider
‒ Processor: Third party cookie provider
Cookies
38. 38© 2018 IFORI – All rights reserved
Monitoring: Belgium: CAO nr. 81 & Privacy Act/GDPR
Principles: Finality, Proportionality, Transparency
– Professional communications(?): Access (?)
– Non-professional communications: Individualization Procedure
See also recommendations by Privacy Commission
Employment
39. 39© 2018 IFORI – All rights reserved
“One-stop-shop”
Controllers and Processors answer to a ‘lead supervisory authority’
– Based on their single or main establishment in the EU
– For cross-border processing
But supervisory authorities may still address infringements
– If it relates to an establishment in its MS or;
– If it substantially affects data subjects in its MS
Consistency through cooperation between DPA’s with EDPB oversight