Obligations Flashcards
(15 cards)
Obligations:
Cooperation with the supervisory authority
The controller and the processor and, where applicable, their representatives:
- Art. 31 GDPR:
cooperate on request with the supervisory authority in the performance of its tasks. - Art. 30, para. 4, GDPR:
make record available to the supervisory authority on request - Cooperation is subject to an obligation only if it is requested by a Supervisory Authority
- The request of the Supervisory Authority is not an administrative act: the request does not have to be substantiated with specific reasons
- The request shall specify the minimum information that allows the controller or processor to object to such request where appropriate.
Obligations:
Privacy by design
Art. 25 para. 1 GDPR
controllers put in place
- measures to effectively implement data protection principles
- necessary safeguards
to meet the requirements of the regulation and protect the rights of data subjects.
These measures should be implemented both at the time of processing and when determining the means for processing.
the controller needs to take into account:
- the state of the art,
- the costs of implementation,
- the nature, scope and purposes of personal data processing
- the risks and severity for the rights and freedoms of the data subject
Obligations:
Privacy by Default
Art. 25 para. 2 GDPR
The concept of Privacy by Default shall protect consumers against the widespread trend among companies to obtain as much personal data as possible.
- By default, only personal data that are necessary for the specific purpose of the data processing shall be obtained.
- The concept addresses the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.
For this purpose, the controller needs to implement:
- appropriate
- technical
- organizational
measures.
The main case of application for Privacy by Default should be privacy-friendly technical default settings when obtaining data subject’s consent for processing.
Obligations:
Controller vs Processors
Controller:
- Is responsible and liable for data protection obligations.
- has not to carry out data processing itself as it can use a processor to act on its behalf
Processor:
Article 4 (8):
- Natural or legal person,
- public authority,
- agency or another body,
which processes personal data on behalf of the controller”.
Two conditions for qualifying as processor are:
- being a separate entity in relation to the controller
- processing personal data on the controller’s behalf.
Art. 29 GDPR:
- processing by the processor only take place upon instruction of the controller.
Obligations:
The Data Processors
Data Protection Directive vs GDPR
Data Protection Directive:
- controllers only responsible for the lawfulness of processing when contracting a processor.
GDPR:
- the processor is now facing obligations and can be held liable for breaches of these obligations and fined with up to EUR 10,000,000.00 or 2% of the total worldwide annual turnover.
Obligations of the data processor
The processor has several obligations, partially arising from his contract with the controller.
The most important obligations are
01) implement technical and organizational measures;
02) adherence to an approved Code of Conduct or Certification Mechanism;
03) processors will be subject to the same level of security obligations as controllers,
04) use of pseudonymisation techniques,
05) ensure the confidentiality, integrity, availability and resilience of processing services,
06) the ability to restore and recover access to lost data and a regular evaluation of its security measures;
07) to appoint a representative within the EU according to Art. 27 GDPR, if the processor is located outside the EU;
08) to maintain a record of processing activities available to the Supervisory Authorities upon their request (less comprehensive than the controller);
09) to cooperate with the Supervisory Authorities;
10) to designate a Data Protection Officer under Arts. 37 et seq. GDPR, if the statutory conditions for a designation obligation are fulfilled.
Obligations:
Records of processing activities
Art. 30 GDPR:
Obliges the controller and the processor, or where applicable their representatives, to maintain a record of the processing activities.
This obligation is intended to ensure that, if necessary, supervisory authorities will have the necessary documentation to enable them to confirm the lawfulness of processing.
Obligations:
Content and purpose of the Records
(Controller)
Art. 30, par. 1, GDPR
The information to be documented includes the following:
- Name and contact details of the controller, and of the joint controller,
- the controller’s representative
- the DPO, where applicable;
- purposes of the processing;
- description of the categories of data subjects and of the categories of personal data related to the processing;
- information on the categories of recipients to whom personal data have been, or will be, disclosed;
- information on whether transfers of personal data to third countries or international organizations have been, or will be, carried out;
- where possible, the time limits foreseen for the deletion of the different categories of personal data,
- an overview of the technical measures adopted to ensure the security of processing.
Obligations:
Content and purpose of the Records
(Processor)
Art. 30, par. 2, GDPR
The content of the records of the processor is less comprehensive than of the one that must be maintained by the controller
The information to be documented includes the following:
- name and contact details of the controller, and of the joint controller, the controller’s representative and the DPO, where applicable;
- categories of the processing;
- information on whether transfers of personal data to third countries or international organizations have been, or will be, carried out;
- overview of the technical measures adopted to ensure the security of processing.
Exception from the obligation to Maintain Records
The requirement to keep records does not apply to an enterprise or organization (controller or processor) which employs fewer than 250 persons (micro, small and medium-sized enterprises).
The exception is subject to the requirements that:
- does not result in a risk to the rights and freedoms of data subjects
- that processing is only occasional;
- does not include
a) special categories of data as referred to in Article 9 (1)
b) personal data relating to criminal convictions and offences referred to in Article 10.
Obligations:
Codes of Conduct
Articles 40 and 41 GDPR:
For controller and processors of personal data:
- improve compliance and enhance the implementation of EU data protection rules
Codes of Conduct provide detailed guidance which tailors legal requirement to specific sectors and furthers the transparency of processing activities.
Codes specify:
a) organisational and material requirements under the GDPR for:
- a certain data processing context,
- a certain product
- a certain sector
b) activities comply with the GDPR.
c) procedural rules requirements under the GDPR .
Obligations:
Codes of Conduct
Purpose
Art. 40, par. 2, GDPR:
«Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of this Regulation, such as with regard to:
a) fair and transparent processing;
b) the legitimate interests pursued by controllers in specific contexts;
c) the collection of personal data;
d) the pseudonymisation of personal data;
e) the information provided to the public and to data subjects;
f) the exercise of the rights of data subjects;
g) the information provided to, and the protection of, children, and the manner in which the consent of the holders of parental responsibility over children is to be obtained;
h) the measures and procedures referred to in Articles 24 and 25 and the measures to ensure security of processing referred to in Article 32;
i) The notification of personal data breaches to supervisory authorities and the communication of such personal data breaches to data subjects;
j) the transfer of personal data to third countries or international organisations; or
k) out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with regard to processing, without prejudice to the rights of data subjects pursuant to Articles 77 and 79».
Steps to create a framework of binding rules of conduct
a) Purpose and preparation:
associations and other bodies representing categories of controllers or processors may prepare a draft of Codes of Conduct
b) Approval:
Codes of Conduct for one EU Member State;
Codes of Conduct for several EU Member States.
c) Monitoring Bodies:
the competent Supervisory Authority will accredit independent bodies to monitor compliance with Codes of Conduct.
d) Legal consequences:
Codes of Conduct have no binding legal effect but facilitate controllers/processors’ burden of proof for compliance with certain obligations under the GDPR.
Obligations:
Certifications, Sales, Marks
Articles 42 and 43 GDPR
Voluntary certification system can be demonstrated compliance with the GDPR.
- Certain bodies or supervisory authorities may issue certifications.
- may gain more visibility and credibility because allow data subjects to quickly assess an organisations’ level of protection for data processing.
- shall be as affordable as possible to suit the limited financial resources of the enterprises.
