GDPR: Understanding the General Data Protection Regulation and Its Key Concepts, Lecture notes of Competition Law and Policy

The general data protection regulation (gdpr) is a regulation in eu law on data protection and privacy in the european union and the european economic area. An overview of the gdpr, its key concepts, and how it applies in real life. Topics covered include the scope of the gdpr, data processing, personal data, controllers and processors, data protection impact assessments, data subject rights, and more.

Typology: Lecture notes

2018/2019

Uploaded on 10/14/2019

walter.russo.nihon1
walter.russo.nihon1 🇮🇹

17 documents

1 / 30

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
GDPR 1.0
What is GDPR and how does it impact us?
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e

Partial preview of the text

Download GDPR: Understanding the General Data Protection Regulation and Its Key Concepts and more Lecture notes Competition Law and Policy in PDF only on Docsity!

GDPR 1.

What is GDPR and how does it impact us?

Ana-Maria Udriste

Lawyer, 2013 Bucharest Bar

Founder of Avocatoo

[email protected]

What are the organisational requirements?

  1. Record processing activities
  2. DPO (daca protection officer)
  3. DPIA (data protection impact assessment)
  4. Data Protection by Design and by Default
  5. Technical and Organisational Measures
  6. Data Subject Rights
  7. Data Breach Notification
  8. Data Protection Management System
  9. Appointment of a Representative by Non-EU Entities
  10. Code of Conducts

How does the GDPR apply in real life (scope)?

Material scope

Article 2 – Material Scope

  1. This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

[...]

the GDPR applies toany processing of personal data.

How does the GDPR apply in real life (scope)?

Personal data

Data is deemed personal if the information relates to anidentified oridentifiable individual.

Data is therefore personal if the identification of a person is possible based on the available data, meaning if a person can be detected, directly or indirectly, by reference to an identifier.

Examples: name, personal number, social security number, IP address, e-mail, phone number etc.

How does the GDPR apply in real life (scope)?

Personal data

Data is deemed personal if the information relates to anidentified oridentifiable individual.

Data is therefore personal if the identification of a person is possible based on the available data, meaning if a person can be detected, directly or indirectly, by reference to an identifier.

Examples: name, personal number, social security number, IP address, e-mail, phone number etc.

How does the GDPR apply in real life (whom)?

Processor

A ‘processor’ is a a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.

2 conditions have to be met:

(1) being a separate legal entity/individual with respect to the controller;

(2) processing personal data on behalf of the controller.

How does the GDPR apply in real life (where)?

EU only?

GDPR applies in the following situations:

  • the processing of personal data takes place in the context of the activities of an establishment of the controller or processor within the EU;
  • the processing ofthe data of individuals within the EU takes place by a controller or processor not established in the EU;
  • offering of Goods or Services to Data Subjects in the EU.

Basic principles for data processing

  1. Lawfulness, Fairness and Transparency
  2. Purpose Limitation
  3. Data Minimisation
  4. Accuracy
  5. Storage Limitation
  6. Integrity and Confidentiality

Basic principles for data processing

  1. Lawfulness, Fairness and Transparency

Processing can only take place if covered by a legal permission or by the data subject’s consent.

The principle of transparency requires:

  • information for individuals on the identity of the controller;
  • information for individuals on the purposes of the processing;
  • further information in respect of the data subjects and their right to obtain confirmation and communication of processing activities performed on their personal data;
  • making individuals aware of the risks, rules, safeguards and rights in relation to the processing activities and how they can exercise those rights.

Basic principles for data processing

  1. Accuracy

Personal data shall be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that data that is inaccurate, having regard to the purposes of the processing, is erased or rectified without delay.

  1. Storage Limitation

Personal data shall be kept in a form that permits identification of data subjects for no longer than necessary for the processing purposes (strict minimum).

Legal justification for data processing

  1. Consent
  2. Legal Permission
  3. Contractual Necessity
  4. Legitimate Interests of the Controller
  5. Legal Obligation of the Controller and Processing in the Public Interest
  6. Protection of Individuals’ Vital Interests
  7. Change of the Data Processing Purpose

Rights of Data Subjects

  1. Right to Access
  2. Rights to Erasure, Rectification and Restriction
  3. Right to Restriction of Processing
  4. Right to Data Portability
  5. Right to Object
  6. Automated Decision-Making

Rights of Data Subjects - right to access

The data subject has the right to obtain confirmation from the controller as to whether or not its personal data is being processed.

Te data subject shall have access to its personal data processed and the following information:

  • the purposes of processing;
  • the categories of personal data concerned;
  • the recipients to whom the data has been or will be disclosed, in particular recipients in third countries or international organisations;