








Studia grazie alle numerose risorse presenti su Docsity
Guadagna punti aiutando altri studenti oppure acquistali con un piano Premium
Prepara i tuoi esami
Studia grazie alle numerose risorse presenti su Docsity
Prepara i tuoi esami con i documenti condivisi da studenti come te su Docsity
Trova i documenti specifici per gli esami della tua università
Preparati con lezioni e prove svolte basate sui programmi universitari!
Rispondi a reali domande d’esame e scopri la tua preparazione
Riassumi i tuoi documenti, fagli domande, convertili in quiz e mappe concettuali
Studia con prove svolte, tesine e consigli utili
Togliti ogni dubbio leggendo le risposte alle domande fatte da altri studenti come te
Esplora i documenti più scaricati per gli argomenti di studio più popolari
Ottieni i punti per scaricare
Guadagna punti aiutando altri studenti oppure acquistali con un piano Premium
These notes provide an introduction to the General Data Protection Regulation (GDPR), a regulation in EU law on data protection and privacy. The GDPR aims to protect personal data, give individuals control over their data, and ensure the free flow of data within the EU. the goals of the GDPR, who it applies to, personal data definitions, data processing, and security measures.
Tipologia: Appunti
1 / 14
Questa pagina non è visibile nell’anteprima
Non perderti parti importanti!









Notes from the lectures of Data Ethics and Data Protection Year 2021/
The GDPR (General Data Protection Regulation) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. Article 8 of the Charter of Fundamental Rights of the European Union quotes:
The main objective of the GDPR is:
Art. 1 :
The GDPR applies to anyone processing or controlling the processing of personal data. Especially companies will be affected by the GDPR. It is important to define 2 figures: a Controller and a Processor.
The GDPR affects All businesses collecting or holding personal data on EU citizens , no matter where they reside! So, for example, if you process data of european citizen but not from europe, you must attempt to the right to be forgotten
Art. 3 This Regulation applies to the processing of personal data in the context of the activities of an establish- ment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. Data subjects who are in the Union by a controller or processor not established [Art. 4 No. 16] in the Union, where the processing activities are related to:
A case study : Entity J is located in Hong Kong and sells trend-oriented furniture and home accessories online. The products can only be paid in US dollar, and delivery to Europe is not offered. However, J wants to analyse the European market as it is considering expanding its business. Anyone calling up the website needs to accept the usage of cookies, and J analyses the IP geolocation data to determine the country where the user is located. J processes the obtained data in order to find out how many European customers from which Member States visit the website and what they are mainly interested in. In this example, J is using web tracking to analyse the preferences of customers located in the EU. Therefore, the GDPR applies. A case study : Entity H is located in Australia and runs an online shop. The company has no subsidiaries or representatives abroad and the online shop is available in English only. H stores the customer data. Payment is accepted in Australian dollars, as well as euros, and deliveries
Fig. S1. Main principle when dealing with personal data
Art. 4 No. 5 GDPR. This could be achieved by replacing the name or other characteristics with certain indicators or by encoding the information an sharing the key with only few people. Unlike anonymous data, pseudonymised data still falls within the scope of application of the GDPR, as the risk of re-identification is higher with respect to the anonymous data.
The GDPR introduces the general principle of accountability in Art. 5 Sec. 2 GDPR, which imposes the responsibility for the compliance of processing with the GDPR and the burden of proof for said compliance onto the controller. In this prospective, the controller shall be responsible for and be able to demonstrate compliance with the above principle. In particular the contoller must justify the decision made. Even if the GDPR is not respected, this choose must be justified and well motivated. The general accountability principle is directly enforceable and can be fined with up to EUR 20,000,000.00 or up to 4% of the total worldwide annual turnover (Art. 83 Sec. 5 lit. a GDPR). This increase the pressure on controllers to implement appropriate measures for data protection. Upon request of Supervisory Authorities, controllers must be able to prove their compliance with the GDPR under the accountability principle. In order to be able to fulfil their burden of proof, the controller’s records of processing activities are likely to prove very helpful as details on the entity’s data flows will be included in the records. The general organisational data protection obligations for controllers and processors are laid out in Arts. 24 to 31 GDPR.
’Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data (even the reading), whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrival, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
compliance with the Regulation. Records shall be maintained in writing, including electronic form, Art. 30, Sec. 3 GDPR. Not all entities are obliged to do so. Art. 30 Sec. 5 GDPR provides for an exemption for any enterprise or organisation employing less than 250 persons. They will, most likely, not have sufficient financial and human resources to fulfil the obligation. The income though can make an exception; entities with an annual turnover exceeding EUR 50 million and/or an annual balance sheet total exceeding EUR 43 million do not benefit from this exemption.
Art. 7 Sec. 3 GDPR explicitly provides for the data subject’s right to withdraw its consent at any time but it does not affect the lawfulness of processing based on consent before its withdrawal.
As children merit specific protection. Art. 8 GDPR introduces special conditions applicable to a child’s consent in relation to information society services. For children under age 16, processing shall only be lawful if and to the extent that consent is given or authorised by the holder of parental responsibility, Art. 8 Sec. 1 phrase 2 GDPR. However EU Member State legislation may provide for a lower age for those purposes provided that it is not below 13 years old. Pursuant to Art. 8 Sec. 2 GDPR, the controller shall make reasonable efforts to verify that consent is given or authorised by the holder of parental responsibility, but it remains unclear what efforts are to be considered reasonable. Thus, Supervisory Authorities and courts will adopt a case-by-vase approach.
The data subjects where the citizen who have installed, on voluntary basis, the Immuni App. The purpose of the app was to alert people who have come into close contact with subjects tested positive, to formulate some statistics and was used for scientific research. It relied on consent and public health emergency in order to have a legal ground. The Data Controller role was assumed by the Ministry of Health. The storage lasted for the period strictly necessary whose duration was established by the Ministry of Health. All data would have been deleted at the end of the state of emergency and in any case no later than December 31, 2020.
Art. 37 GDPR lays down in which cases the obligation to designate a DPO applies. The obligation to designate a DPO under Art. 37 GDPR is connected to the nature of the data processing activity and not to quantitive characteristics of the controller/processor itself. According to Art. 37 Sec. 1 lits. b, c GDPR, private entities are obliged to designate a DPO in any case (public entities are also obliged to designate a DPO with some exceptions such as courts and independent judicial authorities) where the following is present:
The GDPR does not specify the notions of ’core activity’ or ’on a large scale’. Art. 37 Sec. 4 GDPR allows entities to voluntarily appoint a DPO if they are not required to do so under Art. 37 Sec. 1 GDPR. Private entities should evaluate wheter they want to make use of this option given their economic situation and their data processing activities. If entities want to avoid that the voluntary DPO has to fulfil all obligations under the GDPR, they should not denominate this position DPO but, e.g., ’contact person’. The professional qualities of the DPO are:
Technical and organisational measures shall guarantee the safeguard of personal data. Art. 32 GDPR obliges the controller and the processor to undertake such measures. Whereas data protection through technology shall enforce data security in advantage of the processing, technical and organisational measures must be taken throughout processing. Article 32 GDPR does not limit the scope of appropriate measures. Based on this open definition, a large vairety of measures is available, for example minimising the processing of personal data, pseudonymisation (as soon as possible), enabling the data subject to monitor the data processing, creating and improving security features, regular training of employees on data security, encoded data transfer, regular controls of the data security level and so forth.
Technical and organisational measures shall guarantee the safeguard of personal data. Art. 32 GDPR obliges the controller and the processor to undertake such measures. Art. 32 sec. 1 GDPR sets out minimum requirements for the level of data security such as pseudonymisation and encription, ability to ensure ongoing confidentiality, integrity, availability and resilience of processing, ability to restore personal data in a timely manner in case of a physi- cal/technical incident and process for regularly testing, assessing and evaluating effectiveness of technical and organizational measures. Technical measures for security are (2021 ENISA - European Union Agency for Cybersecurity - report):
When assessing the measures for mitigating security risks, the controller should include safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the Regulation. Doing so, the controller needs to take into account the rights and legitimate interests of the data subjects and other persons concerned.
each national Supervisory Authority shall issue so-called "black- and whitelists" which list the kinds of processing activities that do or do not require a DPIA. Thus, it will be the Supervisory Authorities’ duty to specify what activities are deemed high risk. The adoption of a whitelist is mandatory while the blacklist is not.
According to Art.4 No. 12 GDPR, a personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. A personal data breach can occur by way of a technical or physical incident. The data concerned needs to be personal and has to be transmitted, stored or otherwise processed before the occurrence of the incident. The Data Breach are classified in:
In case of a personal data breach, the controller shall notify the competent Supervisory Authority without undue delay and, if possible, not later than 72 h after becoming aware of the data breach, Art. 33 Sec. 1 GDPR. The processor does not have an obligation to notify data breaches to the Supervisory Authorities but only to the controller. Nevertheless, the processor must inform the controller without undue delay of the data breach. It is not specified by law whether awareness of the processor will be attributed to the controller. If so, the notification period would start with the processors’ awareness irrespective of when the controller becomes aware of the data breach. Article 33 Sec. 3 GDPR sets out minimum requirements for the content of the notification. It must contain the following:
When identifying the likeliness of a high risk of the data breach to the rights and freedoms of individuals, the controller shall communicate the personal data breach to the involved data subjects without undue delay. The notification shall allow the data subjects to take the necessary precautions and should describe to them the nature of the personal data breach, as well as recommendations for the data subjects to mitigate potential adverse effects. According to Art.34 Sec. 3 GDPR, a communication is not required if one of the following conditions is met:
In addition to these aspects, the Data Controller should also justify the reason for the decisions taken as a result of the data breach with particular reference to the following cases:
Art. 33 Sec. 5 GDPR asserts that the controller shall document any personal data breach, including the circumstances surrounding it, its consequences and the measures taken to remedy it. Such documentation shall enable the Supervisory Authority to verify compliance with this Article. In particular, there are 2 tools to use:
https://gdpr-info.eu/