EU GDPR (training)

 Prior to the EU GDPR, the US had entered into the
EU-US Mutual Legal Assistance Treaty (MLAT)
2003
 Then there was the Safe Harbor Agreement which
set minimum requirements for US-EU
transactions, but…
 The Court of Justice of the European Union (CJEU)
declared in Schrems that the Safe Harbor
Agreement was invalid because it failed to meet
the standards set forth by the EU. The level of
protection in the US was “inadequate” to protect
privacy because US public authorities had access
to the data on a generalized basis for any EU
citizen who’s data was transmitted to the US. This
“generalized, mass, and unlimited” surveillance
was contrary to EU’s privacy and data protection
requirements.
 So on April 14, 2016, the EU GDPR became law
with an effective date of May 25, 2018.
https://www.eugdpr.org/
E Baker Law Firm Pllc

 On July 12, 2016, the EU-US and Swiss-US (on January 12, 2017) entered into the
Privacy Shield Frameworks. This was enforced by the FTC and DOT under the False
Statements Act and or as a violation of 49 USC 41712, but ONLY if the US companies
voluntarily participated in the program.
 In December 2016, the EU-US Umbrella Agreement was entered into with an
effective date of February 1, 2017. This transatlantic agreement set privacy and data
protection safeguards for personal information transferred between the EU and US
for prevention, investigation, detection and prosecution of criminal offenses.
VOLUNTARY AGREEMENTS / FRAMEWORKS

 Identify workflow process / data
flow for personal information/data
subject to the EU GDPR
 How data comes in,
 How data is retained/stored,
 How data is transmitted,
 How data is transferred to third party?
 Identify where the data is,
 Who has access to the data,
 Can / How do you retrieve data,
 Can you delete the data upon request?

 “personal data”
 “processing”
 “controller”
 “processor”
 “recipient”
 “third party”
 “consent”
 “cross-border processing”
 “international organisation”

 Lawful, fairly, transparent
 Collected for specified, explicit,
legitimate purpose
 Adequate, relevant, limited to
what is necessary
 Accurate, up-to-date
 Kept in form where identification
of data subjects is not longer than
necessary
 Secure
 Ability to demonstrate compliance

1. Consent
a. Controller must be able to
demonstrate
b. If written consent, must be
“clearly distinguishable” from
other matters, intelligible, easily
accessible, clear and plain
language
c. Prior to consent, must be given
notice of right to withdraw
consent at any time
d. Freely given (e.g. was it
contingent upon performance of
contract or provision of service
and not necessary for that)
2. Necessary
3. Children – 15 years or
younger – must have consent
of holder of parental
responsibility (member states
may require younger age but
not cannot go below age 13)

Processing personal data prohibited for data:
 related to race,
 ethnic origin,
 political opinion,
 religious or philosophical beliefs,
 trade union membership,
 genetic data, biometric data for the purpose of
uniquely identifying a natural person,
 health,
 Sex life or sexual orientation
UNLESS
1. Explicit consent for specified purpose (except if
EU member state does not allow consent by
natural person)
2. Necessary
a. for employment, social protection law
b. To protect vital interests of data subject or another
natural person (when data subject not physically or
legally capable of consenting)
c. For establishment, exercise or legal defense or by
courts
d. Substantial public interest
e. Preventive or occupational medicine
f. Public interest in public health
g. Archiving purposes
3. Carried out in course of legitimate activities
with safeguards by not-for profit body
4. Data made public by data subject

Controller shall provide notice to
data subject in reference to Articles
13, 14, 15-22, 34:
 concise
 transparent
 intelligible
 easily accessible form
 clear and plain language
 in writing including
electronic means
 without undue delay,
within 1 month of receipt of
request (or inform as to why will
not)
 free of charge
 may request additional
information to substantial identify
of data subject/requestor

 Period for which the data will be stored
 Existence of right to request from controller access to,
rectification of, or erasure of data or restriction of
processing concerning data or to object to processing as
well as right to data portability
 Existence of right to withdraw consent at any time
(Article 6(1)(a), 9(2)(a))
 Right to lodge complaint with supervisory authority
 Whether the provision of personal data is statutory or
contractual, etc.
 Existence of automated decision making (profiling,
meaningful information about logic involved,
significance, and envisaged consequences of processing)
If controller intends to further process the data for
purpose other than for which it was collected, controller
shall provide the data subject PRIOR to the further
processing with information on other purpose and the
above information.

 Identify and contact details of controller
 Contact details of data protection officer
 Purpose for processing the data and legal basis
 Categories of personal data concerned
 Recipients or categories of recipients
 If applicable, the fact that they data will be transferred to third party or international organization,
existence (or absence) of adequacy decision by Commission, reference to the appropriate or suitable
safeguards and means to obtain copy of them (or where they are available)
 Period for which the data will be stored
 Where the processing is based, legitimate interests pursued by controller or third party
 Existence of right to request from controller access to, rectification of, or erasure of data or restriction
of processing concerning data or to object to processing as well as right to data portability
 Existence of right to withdraw consent at any time (Article 6(1)(a), 9(2)(a))
 Right to lodge complaint with supervisory authority
 Where the personal data (what source) originated, whether it was from publicly accessible sources
 Existence of automated decision making (profiling, meaningful information about logic involved,
significance, and envisaged consequences of processing)

Implement appropriate technical and
organisational measures to ensure
processing is performed in
compliance with GDPR
Implement policies
Adhere approved code of conduct or
certification mechanisms
Implement appropriate technical and
organisational methods such as
pseudonymisation designed to
implement data protection principles
(data minimisation) to protect the
rights of the data subject (1) at time
of determination of the means for
processing and (2) at the time of
processing
Maintain written (electronic) records
of processing activities (see Act for
details) (*not applicable to
companies with less than 250
employees unless high risk)

Designate DPO where processing is
by public authority,
Core activities are
 regular and systematic monitoring of data
subjects on large scale
 Processing on large scale special categories
of data and personal data relating to criminal
convictions or offences
Group may appoint one DPO if easily
accessible by each office
All other cases, unless required by
Member State law, “may” appoint
DPO
DPO shall have expert knowledge of
GDPR, practices, and have ability to
fulfill tasks (Art. 39)
May be staff member of Controller or
Processor or under contract
Contact details of DPO shall be
published and communicated to
supervisory authority
Responsibilities
 Inform and advise controller, processor,
employees
 Monitor compliance
 Provide advice re data protection impact
assessment, monitor performance
 Act as contact point for and cooperate with
supervisory authorityE Baker Law Firm Pllc

1. Pseudonymisation, encryption of personal data
2. Ensure ongoing confidentiality, integrity,
availability, resilience of processing systems and
services
3. Ability to restore availability and access to data
in timely manner
4. Process for regular testing, assessing, evaluation
of effectiveness of technical and organisational
measure ensuring security
5. Code of Conduct or Approved Certification
Mechanism (Article 40, 42 respectively)

1. Controller shall (without undue delay, where
feasible) within 72 hours after becoming aware of
breach notify the supervisory authority
2. Required notice provisions:
a. Nature of breach, categories, number affected
b. Name and contact of data protection officer
c. Consequences of breach
d. Measures to be taken (or taken) to address, mitigate
3. Controller shall document every breach
4. Notify* data subject if “high risk to rights and
freedoms”
No Notice required if data encrypted, subsequent
measures taken which make it likely there is no
high risk, or disproportionate effort required
(public communication instead)

Only processors providing sufficient guarantees to
implement appropriate technical and organisational
measures in such a manner that processing will meet
requirements of GDPR
No sub-processors without controller’s prior written
authorization
Shall be governed by contract (see details required) or law
Adherence to approved code of conduct or approved
certification mechanism
Maintain written (electronic) record of all categories of
processing activities carried out for controller (see Act for
details) (*not applicable to companies with less than 250
employees unless high risk)

For more information on how to bring your organisation into compliance with
the EU GDPR, data privacy, regulatory compliance, risk management, and or
setting up your workflow processes, policies, procedures. Please contact:
Elizabeth Baker, JD, CRCMP
Internationally certified Risk and Compliance Management Professional (EU, US)
ebakerjd@ebakerjdlaw.com

EU GDPR (training)

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à EU GDPR (training)

Similaire à EU GDPR (training) (20)

Plus de Elizabeth Baker, JD, CRCMP

Plus de Elizabeth Baker, JD, CRCMP (12)

Dernier

Dernier (20)

EU GDPR (training)