GENERAL DATA PROTECTION

REGULATION (the ‘GDPR’)

Personnel training in the processing of personal data
What’s the General
Data Protection
Regulation?

The GDPR seeks to protect individuals against the violation

to their privacy which may take place by the processing of
personal data
The General Data Protection Regulation is set to replace the Data Protection Directive effective May 25, 2018. The GDPR is
directly applicable in each Member State and will lead to a greater degree of data protection harmonization across EU
nations. The GDPR empowers data subjects to seek judicial relief for damages and file administrative complaints with
supervisory authorities.
Basic terms
● the definition of data
controller and data
processor

● Data contoller means the natural or legal person, public authority, agency or other body which,
alone or jointly with others, determines the purposes and means of the processing of personal data;
where the purposes and means of such processing are determined by Union or Member State law,
the controller or the specific criteria for its nomination may be provided for by Union or Member
State law (i.e. limited liability company)
● Data processor means a natural or legal person, public authority, agency or other body which
processes personal data on behalf of the controller (i.e. external accountant, external company
doing marketing services for data controller)
Basic terms
● the definition of personal
data GDPR

● Personal data is any information relating to an identified / identifiable natural person

● "personal data" means any information relating to an identified or identifiable natural person (‘data
subject’); an identifiable natural person is one who can be identified, directly or indirectly, in
particular by reference to an identifier such as a name, an identification number, location data, an
online identifier or to one or more factors specific to the physical, physiological, genetic, mental,
economic, cultural or social identity of that natural person;
Basic terms
● the definition of personal
data GDPR

an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference
to an identifier such as:

● a name
● an identification number
● location data
● an online identifier or
● to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or
social identity of that natural person
● personal appearance recording
Basic terms
● the definition of sensitive
personal data GDPR

Sensitive Personal Data means data consisting of :

● racial or ethnic origin

● political opinions
● religious or philosophical beliefs
● trade union membership
● genetic data
● biometric data
● data concerning health
● data concerning a natural person's sex life or sexual orientation
Basic terms
● the definition of sensitive
personal data GDPR

What’s changed?

● genetic data means personal data relating to the inherited or acquired genetic
characteristics of natural person which give unique information about the
physiology or the health of that natural person and which result, in particular,
from an analysis of a biological sample from the natural person in question
● biometric data means personal data resulting from specific technical
processing relating to the physical, physiological or behavioural
characteristics of a natural person, which allow or confirm the unique
identification of that natural person, such as facial images or dactyloscopic
data
What is personal
data processing?

The GDPR applies “to the processing of personal data wholly or partly by automated means and to the
processing other than by automated means of personal data which form part of a filing system or are
intended to form part of a filing system”

Processing = operation or set of operations which is performed on personal data or on sets of personal
data, whether or not by automated means such as:
What is personal
data processing?

Collection Alteration Dissemination or otherwise making available

Recording Retrieval Erasure or destruction

Organisation Consultation

Structuring Use Disclosure by transmission

Storage Alignment or combination

Adaptation Restriction
When may personal
data be processed?

Processing can only take place if one of the following applies:

1. Data subject has given his/her consent

2. For the performance of a contract
3. To comply with a legal obligation to which the data controller is subject
4. To protect the data subject’s vital interests
5. For the performance of an activity which is in the public interest or in the exercise of an official
authority
6. In the legitimate interest of the data controller unless it breaches the fundamental rights and
freedoms of the subject
HOW SHOULD PERSONAL DATA
BE PROCESSED?
The Principles of
Data Protection

❖ fairly, lawfully and in a transparent manner

❖ not processed for any purpose that is incompatible
❖ adequate, relevant and limited
❖ accurate and up to date
❖ not kept for a period longer than is necessary
❖ integrity and confidentiality
❖ fairly, lawfully and in a
transparent manner

Central to complying with the provisions of the Act and requires:

● having legitimate reasons for collecting and using the personal data
● not using the data in ways that have unjustified adverse affects on the individuals concerned
● being open and honest about how the data will be used
● handling people’s personal data only in ways they would reasonably expect
● making sure not to do anything unlawful with the data

Lawful = the processing of personal data must not involve the commission of an unlawful act e.g. a
criminal offence
❖ not processed for any purpose
that is incompatible

● The purpose for which the date was primarily collected must be respected

● If data will be used for a different purpose, data subjects should be

appropriately informed
❖ adequate, relevant and
limited

● Personal data about an individual which is held should be sufficient for the purpose intended
● No more information than is needed for such purpose should be processed
● The minimum amount of personal data needed to properly fulfil the intended purpose should be
identified –‘data minimisation’
● Linked to above –only amount of data needed should be held
● Irrelevant details should not be processed
❖ accurate and up to date

Ensure that:

● personal data is not incorrect or misleading

● certain personal data is kept up to date
● other information may not need to be updated
❖ not kept for a period longer
than is necessary

The Act does not set out any specific minimum or maximum periods for retaining personal data.

Instead, it says that personal data processed for any purpose or purposes shall not be kept for longer than is necessary for
that purpose or those purposes.

In practice, it means that you will need to:

● review the length of time you keep personal data;

● consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it;
● securely delete information that is no longer needed for this purpose or these purposes; and
● update, archive or securely delete information if it goes out of date.
❖ integrity and confidentiality

This principle states that personal data shall be:

"processed in a way that ensures appropriate security of the personal data, including protection against
unauthorised or unlawful processing and against accidental loss, destruction or damage, using
appropriate technical or organisational measures".
 ACCOUNTABILITY
The last principle under GDPR states that data controllers must be able to
demonstrate compliance with the other principles
❖ accountability

The range of processes that organisations have to put in place to demonstrate compliance will vary depending on the
complexity of the processing but may include:
● assessing current practice and developing a data privacy governance structure which may include appointing a Data
Protection Officer;
● creating a personal data inventory;
● implementing appropriate privacy notices;
● obtaining appropriate consents;
● using appropriate organisation and technical measures to ensure compliance with the data protection principles;
● using Privacy Impact Assessments; and
● creating a breach reporting mechanism.
PRINCIPLES OF DATA
PROTECTION
Information to be provided
where personal data are
collected from the data subject

❖ Identity and contact details of data controller and his representative (if applicable)
❖ Contact details of Data Protection Officer (if applicable)
❖ Purpose of processing
❖ Recipients or categories of recipients
❖ Intention to transfer personal data (if applicable)
❖ Storage limit
❖ Rights of access, rectification or erasure
❖ Right to withdraw consent (if applicable)
❖ Right to lodge a complaint
❖ Consequences for failure to provide personal data (if applicable)
❖ The logic involved in automated decision making (if applicable)
Information to be provided
where personal data have not
been obtained from the data
subject

❖ Identity and contact details of controller and his representative (if applicable)
❖ Contact details of Data Protection Officer (if applicable)
❖ Purpose of processing
❖ Recipients or categories of recipients
❖ Intention to transfer personal data (if applicable)
❖ Storage limit
❖ Rights of access, rectification or erasure
❖ Right to withdraw consent (if applicable)
❖ Right to lodge a complaint
❖ The source of the personal data
❖ The logic involved in automated decision making (if applicable)
CONSENT TO PERSONAL DATA
PROCESSING
Consent to personal
data processing

Consent should be given by a clear affirmative act establishing a freely given, specific, informed and
unambiguous indication of the data subject's agreement to the processing of personal data relating to
him or her, such as by a written statement, including by electronic means, or an oral statement. This could
include ticking a box when visiting an internet website, choosing technical settings for information society
services or another statement or conduct which clearly indicates in this context the data subject's
acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity
should not therefore constitute consent.

Consent should cover all processing activities carried out for the same purpose or purposes.

When the processing has multiple purposes, consent should be given for all of them. If the data subject's
consent is to be given following a request by electronic means, the request must be clear, concise and not
unnecessarily disruptive to the use of the service for which it is provided.
Consent of the data
subject

‘consent’ of the data subject means

● any freely given

● specific
● informed
● and unambiguous indication of the data subject's wishes

by which he or she, by a statement or by a clear affirmative action, signifies

agreement to the processing of personal data relating to him or her
 THE RIGHTS OF INDIVIDUALS
The Data Protection Act gives rights to individuals in respect of the personal
data that organisations hold about them
The rights of
individuals

This is the rights of individuals:

❖ a right of access by the data subject

❖ a right to rectification
❖ a right to restriction of processing
❖ a right to erasure (‘right to be forgotten’)
❖ a right to data portability
❖ a right of access by
the data subject

The data subject shall have the right to obtain from the data controller confirmation as to whether or not personal data concerning him
or her are being processed, and, where that is the case, access to the personal data and the following information:

● the purposes of the processing

● the categories of personal data concerned
● the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in
third countries or international organisations
● where possible, the envisaged period for which the personal data will be stored or, if not possible, the criteria used to determine
that period
● the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of
personal data concerning the data subject or to object to such processing
● the right to lodge a complaint with a supervisory authority
● where the personal data are not collected from the data subject, any available information as to their source
● the existence of automated decision-making, including profiling
❖ a right to
rectification

● The data subject shall have the right to obtain from the controller without undue delay the
rectification of inaccurate personal data concerning him or her

● Taking into account the purposes of the processing, the data subject shall have the right to have
incomplete personal data completed, including by means of providing a supplementary statement
❖ a right to restriction
of processing

The data subject shall have the right to obtain from the controller restriction of processing where one of the following
applies:

● the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the
accuracy of the personal data
● the processing is unlawful and the data subject opposes the erasure of the personal data and requests the
restriction of their use instead
● the controller no longer needs the personal data for the purposes of the processing, but they are required by the data
subject for the establishment, exercise or defence of legal claims
● the data subject has objected to processing pending the verification whether the legitimate grounds of the controller
override those of the data subject
❖ a right to
restriction of
processing

● Where processing has been restricted such personal data shall, with the exception of storage, only be processed
with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of
the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member
State

● A data subject who has obtained restriction of processing shall be informed by the controller before the restriction
of processing is lifted.
❖ a right to erasure
(‘right to be
forgotten’)

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her
without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of
the following grounds applies:

● the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise
processed
● the data subject withdraws consent on which the processing is based, and where there is no other legal ground for
the processing
● the data subject objects to the processing
● the personal data have been unlawfully processed
● the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which
the controller is subject
● the personal data have been collected in relation to the offer of information society services
❖ a right to erasure
(‘right to be
forgotten’)

Where the controller has made the personal data public and is obliged to erase the personal data, the controller, taking
account of available technology and the cost of implementation, shall take reasonable steps, including technical measures,
to inform controllers which are processing the personal data that the data subject has requested the erasure by such
controllers of any links to, or copy or replication of, those personal data.

Above shall not apply to the extent that processing is necessary:

● for exercising the right of freedom of expression and information

● for compliance with a legal obligation which requires processing by Union or Member State law to which the
controller is subject or for the performance of a task carried out in the public interest or in the exercise of official
authority vested in the controller
● for reasons of public interest in the area of public health
● for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
● for the establishment, exercise or defence of legal claims
❖ a right to data
portability

● The data subject shall have the right to receive the personal data concerning him or her, which he or she has
provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit
those data to another controller without hindrance from the controller to which the personal data have been provided

● In exercising his or her right to data portability, the data subject shall have the right to have the personal data
transmitted directly from one controller to another, where technically feasible
RESPONSIBILITIES OF A DATA
CONTROLLER
Responsibilities of
data controller

❖ privacy by design & privacy by default

❖ data protection impact assessment
❖ the appointment of Data Protection Officer
❖ a record of processing activities
❖ notification of a personal data breach to the supervisory authority
❖ processing by a processor shall be governed by a contract or other legal act
❖ implementation of data security and procedures related to data protection
❖ privacy by design &
privacy by default

Article 25 - Data protection by design and by default

● The controller shall implement appropriate technical and organisational measures for ensuring that,
by default, only personal data which are necessary for each specific purpose of the processing are
processed
● That obligation applies to the amount of personal data collected, the extent of their processing, the
period of their storage and their accessibility
● The controller shall, both at the time of the determination of the means for processing and at the
time of the processing itself, implement appropriate technical and organisational measures, such
as pseudonymisation, which are designed to implement data-protection principles, such as data
minimisation, in an effective manner and to integrate the necessary safeguards into the processing
in order to meet the requirements of the Regulation
❖ data protection
impact assessment

❖ Where a type of processing in particular using new technologies, and taking into account the nature, scope, context
and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the
controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing
operations on the protection of personal data. A single assessment may address a set of similar processing
operations that present similar high risks.
❖ The controller shall seek the advice of the data protection officer, where designated, when carrying out a data
protection impact assessment
❖ A data protection impact assessment shall in particular be required in the case of:
➢ a systematic and extensive evaluation of personal aspects relating to natural persons which is based on
automated processing, including profiling, and on which decisions are based that produce legal effects
concerning the natural person or similarly significantly affect the natural person
➢ processing on a large scale of special categories of data
➢ a systematic monitoring of a publicly accessible area on a large scale
❖ data protection
impact assessment

The assessment shall contain at least:

● a systematic description of the envisaged processing operations and the purposes of the processing, including,
where applicable, the legitimate interest pursued by the controller
● an assessment of the necessity and proportionality of the processing operations in relation to the purposes
● an assessment of the risks to the rights and freedoms of data subjects
● the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure
the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights
and legitimate interests of data subjects and other persons concerned
❖ the appointment of
Data Protection
Officer (‘DPO’)

● The GDPR makes it a requirement that organisations appoint a data protection officer (DPO) in some circumstances.
● The GDPR also contains provisions about the tasks a DPO should carry out and the duties of the employer in respect of the
DPO.

When does a Data Protection Officer need to be appointed under the GDPR?

Under the GDPR, you must appoint a DPO if you:

● are a public authority (except for courts acting in their judicial capacity);
● carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
● carry out large scale processing of special categories of data or data relating to criminal convictions and offences.

You may appoint a single data protection officer to act for a group of companies or for a group of public authorities, taking into
account their structure and size.

Any organisation is able to appoint a DPO. Regardless of whether the GDPR obliges you to appoint a DPO, you must ensure that your
organisation has sufficient staff and skills to discharge your obligations under the GDPR.
❖ the appointment of
Data Protection
Officer (‘DPO’)

What are the tasks of the DPO?

The DPO’s minimum tasks are defined in Article 39:

● To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other
data protection laws.
● To monitor compliance with the GDPR and other data protection laws, including managing internal data protection
activities, advise on data protection impact assessments; train staff and conduct internal audits.
● To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees,
customers etc).
❖ the appointment of
Data Protection
Officer (‘DPO’)

❖ What does the GDPR say about employer duties?

You must ensure that:

● The DPO reports to the highest management level of your organisation – ie board level.
● The DPO operates independently and is not dismissed or penalised for performing their task.
● Adequate resources are provided to enable DPOs to meet their GDPR obligations
❖
❖ Can we allocate the role of DPO to an existing employee?

Yes. As long as the professional duties of the employee are compatible with the duties of the DPO and do not lead to a conflict of
interests. You can also contract out the role of DPO externally.

❖ Does the data protection officer need specific qualifications?

The GDPR does not specify the precise credentials a data protection officer is expected to have. It does require that they should have
professional experience and knowledge of data protection law. This should be proportionate to the type of processing your
organisation carries out, taking into consideration the level of protection the personal data requires.
❖ a record of
processing activities

Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under
its responsibility. That record shall contain all of the following information:

● the name and contact details of the controller and, where applicable, the joint controller, the controller's
representative and the data protection officer
● the purposes of the processing
● a description of the categories of data subjects and of the categories of personal data
● the categories of recipients to whom the personal data have been or will be disclosed including recipients in third
countries or international organisations
● where applicable, transfers of personal data to a third country or an international organisation, including the
identification of that third country or international organisation and, in the case of transfers
● where possible, the envisaged time limits for erasure of the different categories of data
● where possible, a general description of the technical and organisational security measures
❖ a record of
processing activities

Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing activities
carried out on behalf of a controller, containing:

● the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting,
and, where applicable, of the controller's or the processor's representative, and the data protection officer
● the categories of processing carried out on behalf of each controller
● where applicable, transfers of personal data to a third country or an international organisation, including the identification of
that third country or international organisation and, in the case of transfers
● where possible, a general description of the technical and organisational security measures
❖ a record of
processing activities

● Please note that the obligation does not apply to organisations employing fewer than 250 persons,
unless the processing is of a high-risk nature, including processing of special categories of personal
data such as ethnic or health information, or data about criminal behavior.

● Furthermore, the controller or the processor need to make the records available to the supervisory
authority upon request.
❖ processing by a processor
shall be governed by a
contract or other legal act

● Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing
sufficient guarantees to implement appropriate technical and organisational measures in such a manner that
processing will meet the requirements of GDPR and ensure the protection of the rights of the data subject.
● The processor shall not engage another processor without prior specific or general written authorisation of the
controller. In the case of general written authorisation, the processor shall inform the controller of any intended
changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to
object to such changes.
● Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that
is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the
processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and
the obligations and rights of the controller.
● The contract or the other legal act shall be in writing, including in electronic form
❖ processing by a processor
shall be governed by a
contract or other legal act

What's new?

● The GDPR makes written contracts between controllers and processors a general requirement, rather than just a way of
demonstrating compliance with the seventh data protection principle (appropriate security measures) under the DPA.
● These contracts must now include certain specific terms, as a minimum.
● These terms are designed to ensure that processing carried out by a processor meets all the requirements of the GDPR (not
just those related to keeping personal data secure).
● The GDPR allows for standard contractual clauses from the EU Commission or a supervisory authority (such as the ICO) to be
used in contracts between controllers and processors - though none have been drafted so far.
● The GDPR envisages that adherence by a processor to an approved code of conduct or certification scheme may be used to
help controllers demonstrate that they have chosen a suitable processor. Standard contractual clauses may form part of such
a code or scheme, though again, no schemes are currently available.
● The GDPR gives processors responsibilities and liabilities in their own right, and processors as well as controllers may now be
liable to pay damages or be subject to fines or other penalties.
❖ processing by a processor
shall be governed by a
contract or other legal act

When is a contract needed?

Whenever a controller uses a processor (a third party who processes personal data on behalf of the controller) it needs to
have a written contract in place. Similarly, if a processor employs another processor it needs to have a written contract in
place.

Why are contracts between controllers and processors important?

Contracts between controllers and processors ensure that they both understand their obligations, responsibilities and
liabilities. They help them to comply with the GDPR, and help controllers to demonstrate their compliance with the GDPR.
The use of contracts by controllers and processors may also increase data subjects’ confidence in the handling of their
personal data.
PROFILING A NATURAL PERSON
Profiling a natural
person

‘profiling’ means any form of automated processing of personal data consisting

of the use of personal data to evaluate certain personal aspects relating to a
natural person, in particular to analyse or predict aspects concerning that natural
person's performance at work, economic situation, health, personal preferences,
interests, reliability, behaviour, location or movements;
 FAMILIARIZATION WITH INTERNAL
PROCEDURES AND GUIDELINES FOR DATA
PROTECTION
 NOTIFICATION OF A PERSONAL DATA
BREACH TO THE SUPERVISORY AUTHORITY
Notification of a personal data
breach to the supervisory
authority

● In the case of a personal data breach, the controller shall without undue delay
and, where feasible, not later than 72 hours after having become aware of it,
notify the personal data breach to the supervisory authority, unless the
personal data breach is unlikely to result in a risk to the rights and freedoms
of natural persons.
● Where the notification to the supervisory authority is not made within 72
hours, it shall be accompanied by reasons for the delay.
Notification of a personal data
breach to the supervisory
authority

The notification shall at least:

● describe the nature of the personal data breach including where possible, the categories and
approximate number of data subjects concerned and the categories and approximate number of
personal data records concerned
● communicate the name and contact details of the data protection officer or other contact point
where more information can be obtained
● describe the likely consequences of the personal data breach
● describe the measures taken or proposed to be taken by the controller to address the personal data
breach, including, where appropriate, measures to mitigate its possible adverse effects
Notification of a personal data
breach to the supervisory
authority

● The controller shall document any personal data breaches, comprising the
facts relating to the personal data breach, its effects and the remedial action
taken
● That documentation shall enable the supervisory authority to verify
compliance with the principles of GDPR
Communication of a personal
data breach to the data subject

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller
shall communicate the personal data breach to the data subject without undue delay.

The communication to the data subject shall not be required if any of the following conditions are met:

● the controller has implemented appropriate technical and organisational protection measures, and those measures
were applied to the personal data affected by the personal data breach, in particular those that render the personal
data unintelligible to any person who is not authorised to access it, such as encryption;
● the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data
subjects is no longer likely to materialise;
● it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar
measure whereby the data subjects are informed in an equally effective manner.

The communication to the data subject shall describe in clear and plain language the nature of the personal data breach
and contain at least the information
 THE PENALTIES FOR
INFRINGEMENTS OF GDPR
❖ PENALTIES

The administrative fines are discretionary rather than mandatory; they must be imposed on a case-by-case basis and must
be “effective, proportionate and dissuasive”.

There are two tiers of administrative fines that can be levied:

❖ Up to €10 million, or 2% annual global turnover – whichever is higher.

❖ Up to €20 million, or 4% annual global turnover – whichever is higher.

The fines are based on the specific articles of the Regulation that the organisation has breached. Infringements of the
organisation’s obligations, including data security breaches, will be subject to the lower level, whereas infringements of an
individual’s privacy rights will be subject to the higher level.
Thank you for participating in the
training