Law
Read books online » Law » GDPR Articles With Commentary & EU Case Laws by Adv. Prashant Mali (best novels to read for beginners txt) 📖

Book online «GDPR Articles With Commentary & EU Case Laws by Adv. Prashant Mali (best novels to read for beginners txt) 📖». Author Adv. Prashant Mali



1 ... 10 11 12 13 14 15 16 17 18 ... 71
Go to page:
Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this Regulation. Where that other processor fails to fulfill its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor’s obligations.

Adherence of a processor to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate sufficient guarantees as referred to in paragraphs 1 and 4 of this Article.

Without prejudice to an individual contract between the controller and the processor, the contract or the other legal act referred to in paragraphs 3 and 4 of this Article may be based, in whole or in part, on standard contractual clauses referred to in paragraphs 7 and 8 of this Article, including when they are part of a certification granted to the controller or processor pursuant to Articles 42 and 43.

The Commission may lay down standard contractual clauses for the matters referred to in paragraph 3 and 4 of this Article and in accordance with the examination procedure referred to in Article 93(2).

A supervisory authority may adopt standard contractual clauses for the matters referred to in paragraph 3 and 4 of this Article and in accordance with the consistency mechanism referred to in Article 63.

The contract or the other legal act referred to in paragraphs 3 and 4 shall be in writing, including in electronic form.

Without prejudice to Articles 82, 83 and 84, if a processor infringes this Regulation by determining the purposes and means of processing, the processor shall be considered to be a controller in respect of that processing.

Suitable Recitals

The use of processors.

COMMENTARY:

Article 4 (8) defines the processor using the definition already available in the Directive. The processor is: “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”. Article 28 of the Regulation extends the previous duties of controllers and processors while organizing a separate regime for their duties for security referred to in Article 32 et seq.

As before, the controller can only choose contractors with sufficient safeguards with respect to taking of appropriate technical and operational measures to meet the requirements of the Regulation and to ensure protection of the rights of the data subject.

The principle is still that of a specific contract between the controller and the processor, or by another specific legal act provided for the needs of the Union or of a Member State, binding the subcontractor and the controller. On the other hand, the content of the written contract - including an electronically format is extended. In addition to information on the processing itself (purpose, scope and duration of processing, etc.), the contract provides for the commitment of the processor to comply with a range of duties vis-Ă -vis to the controller, namely:

to process the personal data only on documented instructions from the controller – which was already provided – but these instructions will now be specifically documented - in particular the transfers of data to third countries – by the controller. An exception is made for the legal duties, which would subject the contractor who will be the subject of specific information by the processor, except for a justified legal exception for important reasons of public interest;

This duty is also reflected in Article 32 requiring the controller to take measures to ensure that anyone who has access to data under the authority of the controller or the processor can process them only on their instructions, unless required to do so by the law of a member State or a rule of the EU and provided that they inform the controller accordingly, unless such information is prohibited for important reasons of public interest.

To ensure that persons authorised to process the personal data have committed themselves to confidentiality;

To respect the conditions referred to in paragraphs 2 and 4 for engaging another processor (see below);

To assist the controller for the fulfillment of the controller's obligation to respond to requests for exercising the data subject's rights;

To assist the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the Regulation;

At the choice of the controller, to delete or return all the personal data to the controller after the end of the provision of services;

To make available to the controller all information necessary to demonstrate compliance with Article 28 and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

Article 28 also requires the processor to immediately report to the controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions. In addition to the duties provided for by the Directive, the Regulation organizes the question of processing entrusted to third parties - secondary processors by the direct processor of the processing controller, very common cases in practice. Thus, the possibility left to the secondary processor of the processor itself will be subject to a prior written consent (specific or general) by the controller. In the case of a written general authorization, the direct processor must inform the controller, prior to any change of the "secondary" processor to enable the controller to object.

In addition, this secondary processor contract must comply with the rules applicable to the content of the contract entered into between the controller and the main processor (Art. 28 (4)). Where that other processor fails to fulfill its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor's obligations.

Adherence of a processor to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which the processor shall demonstrate sufficient guarantees. The Regulation expressly provides the possibility of using standard contractual clauses provided by various sources as the basis of the specific contract between the controller and the processor (included in a procedure of certification, of the Commission or the supervisory authorities). The Commission is also empowered to establish standard contractual clauses for the matters referred to in paragraphs 3 and 4, in accordance with the consistency mechanism referred to in Article 63.

Finally, the last version of the Regulation specifically indicates that if a processor infringes this Regulation by determining the purposes and means of processing, the processor shall be considered to be a controller in respect of that processing. Article

17 of the Directive organized the system of processors as part of the security obligations. The Directive provided that the controller who acts through a processor

should ensure that such processor provides sufficient guarantees as to the implementation and the compliance with the security measures to be implemented. A binding legal contract or act should bind the controller and the processor, the latter having to state in particular that he or she will act only on instructions from the controller, as well as the safety measures he or she had to take.


Art. 29 GDPR Processing under the authority of the controller or processor

The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law.

COMMENTARY:

Article 16 of the Directive established the fundamental principle of confidentiality with respect to the personal data protection: any activity dealing with personal data processing can be performed only on the instruction of the controller. This requirement also applies to any person who has access to the personal data, whether this access is made by a person acting under the authority of the controller or the processor as well as to the processor him/herself.


Art. 30 GDPR Records of processing activities

Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:

The name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;

The purposes of the processing;

A description of the categories of data subjects and of the categories of personal data;

The categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;

Where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;

Where possible, the envisaged time limits for erasure of the different categories of data;

Where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

Each processor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing:

The name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer;

The categories of processing carried out on behalf of each controller;

Where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;

Where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.

The controller or the processor and, where applicable, the controller’s or the processor’s representative, shall make the record available to the supervisory authority on request.

The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.

Suitable Recitals

(13) Taking account of micro, small and medium-sized enterprises; (82) Record of processing activities.

COMMENTARY:

A data processing inventory reflects how the business processes data and starts with listing the processing activities and their purpose. A data processing inventory is aligned with how the business works, making it is easy for the business to engage. The GDPR creates an opportunity for organizations to limit their data inventory. Organizations need an inventory of their data processing operations, instead of all their data holdings and detailed inventory.

It is worth taking the time and effort to document each processing activity at the individual processing activity level. For example, 'how do we pay employee wages', 'how does someone register with our site', 'how does someone enter a competition'. Bear in mind that the same data sets, or components of the same data sets, might have multiple processing activities. Someone buying a product from an online ecommerce store will have their data processed to fulfill and deliver the

product. They might also have their personal data processed by a CRM team for marketing purposes, as well as by your finance team for statutory accounting activity.

When gathering this data, consider completing the following fields in a template that we can provide to you (this template also helps you analyze the data to produce useful metrics)

Legal entity and department;

Process owner;

Step by step process flow – from collection to disposal;

Categories of data collected;

Data subjects (e.g., employees, customers);

Lawful grounds for processing;

Volumes of data;

Where data is stored (location);

Where there is an European Economic Area transfer, what is the legal mechanism for this;

Retention period (or to agree on retention periods where they have not yet been decided);

Who has access to the data;

Are there any data processors involved in the process (and who they are); If so, has information security due diligence been conducted;

Check of the contract clauses to see if they meet Article 28 (Processor) requirements;

Notes on security measures applied.

The GDPR contains explicit provisions about documenting your processing activities.

You must maintain records on several things such as processing purposes, data sharing and retention.

Documentation can help you comply with other aspects of the GDPR and improve your data governance.

Controllers and processors both have documentation obligations.

For small and medium-sized organisations, documentation requirements are limited to certain types of processing activities.

Information audits or data-mapping exercises can feed into the documentation of your processing activities.

Records must be kept in writing.

Most organisations will benefit from maintaining their records electronically.

Records must be kept up to date and reflect your current processing activities.

We have produced some basic templates to help you document your processing activities.

For organisations operating in the EU, a requirement of the EU Data Protection Directive 95/46/EC was to notify and register processing activities with local DPAs. Article 30 replaces this requirement and in this context, a processing data inventory is the same as a “records of processing activities” register. It is important to note this list is first concerned with the details of processing activities versus the details of a data holding repository and does not require the onerous process of documenting every data element that forms part of the data repository (though in practice, some companies may still want to do this).

Under the Directive, Article 16 (2) authorised the Member States to provide for two exceptions to the obligation to send a notification to the supervisory authority prior to the implementation of any processing:

The first one covered the categories of processing that are not likely to infringe the rights and the freedoms of the data subjects, given the data to process and as long as they specify the purposes, the categories of processed data, the data subjects, the

1 ... 10 11 12 13 14 15 16 17 18 ... 71
Go to page:

Free ebook «GDPR Articles With Commentary & EU Case Laws by Adv. Prashant Mali (best novels to read for beginners txt) 📖» - read online now

Comments (0)

There are no comments yet. You can be the first!
Add a comment