3. AGENDA OF THE TRAINING
I. INTRODUCTION
II. DATA PROTECTION KEY REQUIREMENTS.
III. WHAT DOES PERSONAL DATA MEAN.
IV. DATA PROCESSING. ROLES.
V. PRINCIPLES.
VI. NEC ACCOUNTABILITY.
VII. LEGAL BASIS FOR PROCESSING PERSONAL DATA.
VIII. PERSONAL DATA BREACHES.
IX. ENFORCEMENT.
X. NEC EMPLOYEES’ RESPONSIBILITIES
XI. QUIZ
3
4. • The Convention for the Protection of Individuals
with regard to Automatic Processing of Personal
Data №108.
• OECD Guidelines.
• GDPR and EU members’ data protection law.
• Protection law acts, standards and regulations
which are in force. Protection of Personal Data No.
6698 dated April 7, 2016 (PDPL), Federal Law of July
2006, POPI Act…
• Data privacy cases, precedents, guidelines.
Source @UNCTAD 2020.
4
I. INTRODUCTION. OVERVIEW
Data protection laws generally set out rules and standards for the use and handling ('processing') of
information ('personal data') about living identifiable individuals ('data subjects'). Laws apply to
organizations in all sectors, both public and private.
Data Protection Laws. Global Overview
5. 5
Enforcement
Accountability
Data Protection
Principles
Security on
processing
Registry of
activities
Data Subject
Rights
Data Breaches
II. DATA PROTECTION KEY REQUIREMENTS
DATA PROTECTION LAWS ARE BASED AROUND THE NOTIONS OF PRINCIPLES, INDIVIDUALS RIGHTS, RISK ASSESSMENTS AND THE
ACCOUNTABILITY CONCEPT.
Data protection Laws seek to
protect and prevent the abuse
and misuse of personal data,
owned by individuals whose
information is collected,
processed, and used by the
companies.
6. III. PERSONAL DATA MEANING UNDER DATA PROTECTION LAWS
Personal Data means any information relating to an identified or identifiable natural person.
Sensitive Personal Data includes data consisting of racial or ethnic origin, political opinions, religious or
philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health
or data concerning a natural person's sex life or sexual orientation.
7. 77
III. PERSONAL DATA EXAMPLES
Betty Miller
ID Number: N000182
miller-b@nec.com
+33 134 432345
Algeria
male
40 Years
IP: 7000182-23-3019
born: 12.01.1980Moscow Road, London
likes hamburgers
BA of Law 1993,
Engineer. Project Manager Leader
shoe size: 48/12,5
married, 4 kids
John Smith
8. IV. DATA PROCESSING/ ROLES UNDER DATA PROTECTION LAWS
Processing: Processing covers a wide range of operations performed on personal data, including
by manual or automated means. It includes the collection, recording, organization, structuring,
storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission,
dissemination or otherwise making available, alignment or combination, restriction, erasure or
destruction of personal data. For example, staff management and payroll administration; access
to/consultation of a contacts database containing personal data.
Data Controller/Responsible Party/Operator: person or entity who (either alone, jointly, or in
common with others) determines the purposes for which and the manner in which personal data is
processed. In other words, deciding “what” personal data will be processed for and “how” it will be
done. NEC shall act as Data Controller/Responsible Party/Operator when determine the purposes
for which and the way in which, personal data is processed.
Data Processor/Operator/party that process personal data under Operator’ instructions:
person or entity who processes personal data on behalf of a controller/ Responsible Party/
Operator.
gathering
collecting
uploading
recalling
storing
deleting
modifying
auditing
using
sending
distributing
modulating
linking
restricting
printing
editing
erasing
transferring
distributing
adjusting
9. IV. DATA PROCESSING/ ROLES UNDER DATA PROTECTION LAWS
It is essential for NEC to be able to determine the role in
which is acting in respect of the processing. This is
particularly important in situations such as a data breach
where it will be necessary to determine which
organisation has data protection responsibility.
The key distinction is to determine the degree of
independence that each party has in determining how
and in what manner the data is processed, as well as the
degree of control over the content of personal data.
The fact that one organisation provides a service to
another organisation does not necessarily means that it is
acting as a data processor (called as well operator or
party that over the processing operation.
NEC cannot assume both roles for process personal data
under Operator’ instructions. It could be a data controller
(called as well responsible party or operator) in its own
right, depending on the degree of control it exercises
the same data processing activity: it must be one or the
other. However can be acting as both in the same
Agreement.
9
Make sure that you comply with NEC GUIDELINES. A data processing agreement (DPA) must be
signed.
17. VI. NEC ACCOUNTABILITY
Accountability requires translate legal requirements into risk-
based, verifiable and enforceable corporate practices and
controls
Accountability is one of the data protection principles - it makes NEC responsible for complying with Data
Protection Laws and says that NEC must be able to demonstrate compliance. NEC must be able to demonstrate
accountability – internally and externally.
Accountability is not static, but
dynamic, reiterative and a constant
journey. Accountability obligations
are ongoing.
Leadership and oversight
Risk Assessment
Policies and procedures.
Transparency
Training and Awareness
Monitoring and verification
Accountability effective
compliance and protection for
individuals
Implement a privacy management framework this can help you
embed your accountability measures and create a culture of
privacy across NEC.
Being accountable can help NEC in
EMEA to build trust with individuals
and may help NEC mitigate
enforcement action.
18. VII. LEGAL BASIS FOR PROCESSING PERSONAL DATA
NEC in EMEA must have a valid lawful basis in order to process personal data.
No single basis is ’better’ or more important than the others – which basis is most
appropriate to use will depend on NEC purpose and relationship with the
individual.
A lawful basis for
processing personal
data may consist of at
least one of those
legal grounds and will
vary per personal data
processing activity,
scope and purpose.
Data Subject provides consent
to the processing.
Legitimate interest of the
controller provided that rights
and freedoms of data subject
are not violated.
Performance of a contract to
which the data subject is party.
Compliance with a legal
obligation.
Protection of vital interests.
Public interest or official
authority.
22. IX. ENFORCEMENT
22
Enforcement can be significant different in each country. However most EMEA Data Protection
Supervisory Authorities are entitled to:
carry out checks;
consider complaints from data subjects;
require the submission of necessary information about personal data processing by the data
controller;
require the undertaking of certain actions according to the law by the data processor,
including discontinuance of the processing of personal data;
file court actions;
initiate criminal cases; and
impose administrative liability.
25. X. NEC EMPLOYEES’ RESPONSIBILITIES
All NEC employees are responsible
towards Data Protection.
Data Protection is for the entire
Group.
All employees have an important
role in continuous compliance of
Data Protection Laws.
25