Law
Read books online » Law » GDPR Articles With Commentary & EU Case Laws by Adv. Prashant Mali (best novels to read for beginners txt) 📖

Book online «GDPR Articles With Commentary & EU Case Laws by Adv. Prashant Mali (best novels to read for beginners txt) 📖». Author Adv. Prashant Mali



1 ... 8 9 10 11 12 13 14 15 16 ... 71
Go to page:
dictionary defines purpose as the intended or desired result, aim, or the reason why something exists. The purpose is the “why” and “how” of processing. Whereas the two remaining elements are self-explaining ”natural person, legal person or any other body” and “alone or jointly with others”. Art.4(7) of the GDPR defines controller as: the natural

or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by EU or Member State laws, the controller or the criteria for nominating the controller may be designated by those laws. Except from the part “or the criteria for nominating the controller “the definition is the same. Every entity considered to be a controller under the DPD is likely to be controller under the GDPR.

Controller`s obligations

The fact that a party is considered to be controller is connected to a list of obligations, which characterise the controller-status. The principle of accountability is ought to ensure the enforcement of the main data protection principles. Under the Directive, Art.6(2) only the controller is accountable. He must ensure compliance with the main data protection principles, when processing. Whereas under the GDPR the controller is not only accountable, but must also be able to demonstrate compliance with the main data protection principles, Art.5(2), rec.85.

The measures to demonstrate compliance have to be “appropriate technical and organizational measures” and codes of conduct, Art.24 GDPR. The GDPR tries to set down criteria in rec.74 GDPR to determine what a appropriate measure could be. The controller should take into account the nature, scope, context and risk to the rights and freedoms of natural persons.

Article 24 is implementing a "general principle of responsibility" at the forefront of the general obligations of the controller, the definition of which remains unchanged since the Directive (see G29, Opinion 3/2010 of 13 July 2010, on the principle of responsibility). Actually, the controller is defined as: “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes (...) and the means of the processing of personal data” (Art. 4 (7)).

The principle included in the first paragraph is divided into two rules. The first rule confirms the special responsibility of the controller in the implementation of the appropriate technical and organizational measures to perform the processing in accordance with the Regulation.

The initial proposed version provided for a list of the measures in question, but this has not been included in the final version. However, the list is very useful to understand the scope of the principle. The version covered most of the unspecified general measures or a bit specified by the text of the Regulation, such as: maintaining of the documentation provided for in Article 30, the implementation of the obligations of data security provided for in Article 32, conducting an impact assessment on the protection of data in application of Article 35, the compliance with the obligations of authorization or preliminary consultation of the supervising authority in application of Article 36 (1) and (2), the designation of a data protection officer in application of article 37 (2) and (3).

This first rule also provides that to determine the appropriate technical and organizational measures, account must be taken of the nature, the scope, the context and the purpose of processing as well as the likelihood and the severity of risks with respect to the rights and freedoms of natural persons.

Recitals 75 and 76 give many examples of the envisaged risks: processing that is likely to result in physical, material or moral damage, in particular when the processing may give rise to discrimination, an identity theft or usurpation, financial loss, damage to reputation, loss of confidentiality of data protected by professional secrecy, when it comes to processing of sensitive data, when personal aspects are evaluated, etc. The probability and the severity have to be assessed depending on the nature, the scope, the context and the purpose of the processing of data. The risk should be subject to an objective assessment to determine if the data processing operations carry a high risk. According to recital 60 (3), high risk means a particular risk of prejudice to the rights and freedoms of individuals.

Paragraph 2 of Article 24 says that where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller. The second rule stems from the first and is focused on the proof of the implementation of these measures. Then, the burden of proof rests on the shoulders of the controller which must be able to demonstrate that the personal data is processed in compliance with the Regulation.

The third paragraph provides that adherence to approved codes of conduct as referred to in Article 40 or approved certification mechanisms as referred to in Article

42 may be used as an element by which to demonstrate compliance with the obligations of the controller. Recital 77 (4) includes the indications given by the data protection officer.

Neither the Directive nor the legislation analysed in this commentary provided a provision comparable to that provided for in Article 22 of the Regulation.


Art. 25 GDPR Data protection by design and by default

Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as Pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.

The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for

each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.

An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.

Suitable Recitals

Appropriate technical and organisational measures.

COMMENTARY:

“Design is a funny word. Some people think design is how it looks. But of course, if you dig deeper, it’s really how it works.” -Steve Jobs

The EU Data Protection Directive did not explicitly include privacy by design. However, given that the right to privacy is a fundamental element of the European Convention on Human Rights, it was clear that those designing technology ought to consider privacy as part of their product design, in the same way that they would take measures to not discriminate on the basis of race or gender as part of that process. The formalisation of that position is therefore included in the GDPR.

The principle of privacy by design and by default is consistent with, and an extension of, the requirement for data minimisation under Article 5 of the GDPR; namely that systems and technology should be designed in such a way so as to ensure that: (i) data processing is limited to what is necessary for the purpose for which the data was collected; and, (ii) only those within an organisation who need to access the personal data can do so.

The GDPR provides for a voluntary certification by which entities can demonstrate compliance with the principles of design and default by way of data protection seals and marks. Given that the privacy rights that the GDPR promotes are likely to change the expectations of citizens, when considering future products, such a proposal provides for a commercial advantage to those that choose to obtain these seals and marks, rather than just a regulatory obligation - again furthering the principle that the subjects are champions of the data.

The GDPR obliges controllers to implement measures of safeguard in every planning or processing phase of every new product or service, Art.25, rec.78.

Compliance Description

Article 25 conveys the key principles—privacy by design and privacy by default— underlying the entire GDPR. For example:

Article 5 (1) requires that data processing be limited to what is necessary given the purpose for which the data is initially collected (privacy by design) and be limited to those who need to access the data (privacy by default).

Article 32 (1) (b) requires the ongoing confidentiality and integrity of processing data processing systems and services (data privacy by design and default).

Although, Pseudonymisation and data minimization are required technical measures, Article 25 gives Data Controllers flexibility in determining which additional technical measures best ensure data security and privacy. When selecting a measure, the Data Controller must document an evaluation of the measure along four criteria:

State of the Art: An evaluation of the latest and most advanced data security and privacy enhancement tools available. For example, some newer technologies are behavior analytics that profile normal behavior patterns and trigger alerts when a divergence occurs, privileged user monitoring that checks user activities and blocks access to data if necessary, and Format Preserving Encryption (FPE) that encrypts data employing the existing database format.

Processing Profile: An evaluation of the nature, scope, context, and purposes of the data processing.

Risk Profile: An evaluation of the likelihood and severity of risks to the rights and freedoms of natural person when processing personal data. Risks include “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processes.” Conducting a risk assessment is best done with a Privacy Impact Assessment (PIA), as specified in Article 35 of the GPDR.

Cost: An evaluation of the cost of implementation relative to the risk profile.

Data privacy by design ensures that privacy is built into products, services, application, business and technical processes. Data privacy by default protects a natural person’s fundamental rights and freedom to protection of their personal data. Implementing data privacy by design and default guarantees, at a minimum, that:

Only personal data necessary for a specific purpose is collected.

Only data relevant to the original data collection purpose can be processed.

Data that is no longer needed must be deleted.

Natural persons can opt in or opt out of any collection, storage, processing, or deletion of their personal data.

Compliance Methods

Complying with Article 25 requires both organizational and technology strategies.

Organizational Strategies

A few organizational strategies are:

Not copying production databases for development, testing, or analytics purposes. Instead the data should be anonymized or pseudonymized.

Not storing spreadsheets and other data sources in a local folder or to a SaaS application such as Box, Dropbox, Google Drive, or OneDrive.

Limiting email archive access to a limited number of privileged users and monitoring their activity.

Requiring encryption of emails containing identifiable personal data.

Protecting personal data at-rest, in-motion, and in-use employing an existing database format.

Setting and enforcing policies about using bring-your-own-devices to access secured data.

Implementing staff training, internal audits of processing activities, policy reviews, and documentation of compliance

Technology Strategies

Ensuring data privacy by design and default can be achieved through:

Data masking: Anonymizes data via encryption/hashing, generalization, perturbation, etc. Pseudonymizes data by replacing sensitive data with realistic fictional data that maintains operational and statistical accuracy.

Ethical walls: Maintains strict separation between business groups to comply with M&A requirements, government clearance, etc.

Privileged user monitoring: Monitors privileged user database access and activities. Blocks access or activity, if necessary.

User rights management: Identifies excessive, inappropriate, and unused privileges.

User tracking: Maps the web application end user to the shared application/database user to the final data accessed.

VIP data privacy: Maintains strict access control on highly sensitive data, including data stored in multi-tier enterprise applications such as SAP and PeopleSoft.


Art. 26 GDPR Joint controllers

Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. The arrangement may designate a contact point for data subjects.

The arrangement referred to in paragraph 1 shall duly reflect the respective roles and relationships of the joint controllers vis-Ă -vis the data subjects. The essence of the arrangement shall be made available to the data subject.

Irrespective of the terms of the arrangement referred to in paragraph 1, the data subject may exercise his or her rights under this Regulation in respect of and against each of the controllers.

Suitable Recitals

Allocation of the responsibilities.

COMMENTARY:

The definitions of the controller allowed, as the Directive did, to qualify as "joint controllers" several people who jointly define the purposes and the means of the processing (see Article 2, d)) of the Directive.

Joint controllers and their obligations

Where two or more controllers determine the purposes and means of processing, they are joint controllers (Article 26). Under the GDPR joint controllers have to determine their respective responsibilities for legal compliance and rights of data subjects in a transparent manner. They can do so for example in a clear contractual arrangement. The arrangement needs to reflect the roles and relationships between the joint controllers and made available to data subjects. A data subject may exercise his or her rights against each of the controllers. Each data controller is individually liable for legal compliance under Article 82. After providing remedies

1 ... 8 9 10 11 12 13 14 15 16 ... 71
Go to page:

Free ebook «GDPR Articles With Commentary & EU Case Laws by Adv. Prashant Mali (best novels to read for beginners txt) 📖» - read online now

Comments (0)

There are no comments yet. You can be the first!
Add a comment