CIPPE ILT PGDigital v5.2

EUROPEAN DATA PROTECTION PARTICIPANT GUIDE An publication European Data Protection Participant Guide An IAPP Publication CIPP®, CIPP/A®, CIPP/C®, CIPP/E®, CIPP/G®, CIPP/US®, CIPM® and CIPT® are registered trademarks of the International Association of Privacy Professionals, Inc. © 2022, The International Association of Privacy Professionals, Inc. (IAPP). All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, mechanical, photocopying, recording or otherwise, without the prior, written permission of the IAPP. For more information contact copyright@iapp.org. v 5.2 Welcome! In today’s information economy, the risks—and opportunities—associated with the use and collection of data continue to skyrocket. But you probably already know that. You probably also know that skilled privacy pros are in high demand. After all, that is one of the reasons you are here, right? You have come to the right place. The IAPP is the world’s largest information privacy organization. We are a non-advocacy, not-for-profit membership association focused on advancing the privacy profession. Our globally recognized privacy training is designed to give you the expertise and know-how you need to get ahead. You will hear from world-class privacy faculty who are experts working in the field of privacy and data protection today. They will share their knowledge, insights and real-life experiences to help you sharpen your skills and work smarter—not to mention, take your career to a whole new level. While contemporary topics, developments and events may be discussed in this training, please understand this is not a current events course but, rather, is based on the corresponding IAPP exam's body of knowledge (BoK). The BoK is an outline of topics, developed and approved by an exam development board, that is reviewed/ updated annually and serves as the foundation for the certification exam and training. If emerging privacy and data protection issues or events become part of the exam, the training will be updated accordingly at least one month prior to the release of exam updates. Whether you are a seasoned professional or new to the field of privacy and data protection, this class is an opportunity to learn essential skills, and, if you decide to aim for an IAPP credential, you will have a head start! Ready to get certified? Visit http://iapp.org/certify/prepare for advice on how to prepare. Thank you for joining us today. European Data Protection European Data Protection 1 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection Acknowledgements Jeroen Terstegge Phil Lee CIPP/E, CIPP/US Country Leader, Netherlands, IAPP; Managing Partner Privacy Management Partners CIPP/E, CIPM, FIP Partner Privacy, Security and Information Fieldfisher Mark Webber Olivier Proust CIPP/E U.S. Managing Partner Fieldfisher (Silicon Valley) LLP CIPP/E Partner Privacy, Security and Information Fieldfisher Bavo Van den Heuvel CIPP/E, CIPP/US, CIPM, CIPT, FIP Chief Knowledge Officer – Managing Partner Cranium Applied Privacy Michaela Buck Orrie Dinstein CIPP/C, CIPP/E, CIPP/G CIPP/US, CIPM, CIPT, FIP President, Privacy Strategist Privacy Ref, Inc 2 Thank you to the following IAPP instructors, members and subject matter experts who provided their guidance and expertise to the development of this training: External DPO Bob Siegel CIPP/US Global Chief Privacy Officer Marsh & McLennan Companies 2 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection Acknowledgements Sachin Kothari Aurélie Pols CIPP/US Vice President and Chief Privacy Officer Johnson Controls International DPO CDP mParticle Data Governance & Privacy Engineer Aurélie Pols and Associates Nick Graham Gabe Maldoff CIPP/E Global Chair of Privacy and Cyber Security Dentons CIPP/US Associate Goodwin Procter LLP Judy Macior Anna Myers CIPP/C, CIPP/G, CIPP/US, CIPT, FIP Operational Risk Director Experian CIPP/US, CIPM Attorney Fellow ZwillGen PLLC 3 Thank you to the following IAPP instructors, members and subject matter experts who provided their guidance and expertise to the development of this training: Marta Dunphy-Moriel CIPP/E Founder Dunphy-Moriel Legal Services Ltd 3 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 4 Trainer Introduction Trainer introduction 4 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 5 Chat Share How would you describe your industry? Chat: Share How would you describe your industry? 5 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 6 Chat Share How many years have you worked in privacy? Chat: Share How many years have you worked in privacy? 6 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection • Module 1: Data protection laws 7 • Module 2: Personal data • Module 3: Controllers and processors • Module 4: Processing personal data • Module 5: Data subject rights Course outline • Module 6: Information provision obligations • Module 7: International data transfers • Module 8: Compliance considerations • Module 9: Security of processing • Module 10: Accountability • Module 11: Supervision and enforcement Course outcomes This course will … • Define key concepts of European data protection • Describe EU data protection laws and regulatory bodies • Explain the application of the GDPR and other compliance obligations to European and international entities Note While examples from member state data protection laws may be referenced by your trainer, this training will focus on the broader EU Regulation. 7 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection Module 1: Data protection laws 8 Learning objectives • Differentiate between the Council of Europe and the European Union, including member state composition and legislation related to privacy and data protection • Describe the history of human rights, privacy, and data protection law in Europe leading up to the current EU legislative framework • Recognise themes in human rights and data protection law, including right to privacy and freedom of speech, and the balance between the two • Describe the functions of the EU’s legislative, policy-making and judicial institutions, specifically as they apply to data protection law • Describe the EU data protection law’s transition from a directive that requires member state transposition to a regulation Module 1 learning objectives • Differentiate between the Council of Europe and the European Union, including member state composition and legislation related to privacy and data protection. • Describe the history of human rights, privacy, and data protection law in Europe leading up to the current EU legislative framework. • Recognise themes in human rights and data protection law, including right to privacy and freedom of speech, and the balance between the two. • Describe the functions of the EU’s legislative, policy-making and judicial institutions, specifically as they apply to data protection law. • Describe the EU data protection law’s transition from a directive that requires member state transposition to a regulation. 8 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 9 Chat Share Which type of privacy is most important to your personal life? Information privacy, territorial privacy, bodily privacy, or communication privacy? Module 1: Data protection laws Chat: Share Which type of privacy is most important to your personal life? Information privacy, territorial privacy, bodily privacy, or communication privacy? • Information privacy • Territorial privacy • Bodily privacy • Communication privacy 9 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 10 Chat Share Which type of privacy is most important to your professional life? Information privacy, territorial privacy, bodily privacy, or communication privacy? Module 1: Data protection laws Chat: Share Which type of privacy is most important to your professional life? Information privacy, territorial privacy, bodily privacy, or communication privacy? • Information privacy • Territorial privacy • Bodily privacy • Communication privacy 10 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection European Union Council of Europe • 27 member states • Economic and political union • CFREU, TFEU, GDPR, ePrivacy • 46 member states • International organisation • ECHR, Convention 108 11 Comparing EU and CoE Module 1: Data protection laws Session notes The European Union and the Council of Europe • Separate European institutions • Own laws and judicial systems • All EU member states belong to Council of Europe, but not vice versa • Both share fundamental values of human rights, democracy and the rule of law European Union • 27 member states • On 1 January 2020, the U.K. exited the European Union • Economic and political union • Privacy and data protection laws • Charter of Fundamental Rights of the EU (CFREU) • Treaty on the Functioning of the EU (TFEU) • Lisbon Treaty • General Data Protection Regulation (GDPR) • ePrivacy Directive • National data protection laws across Europe Council of Europe • 46 member states • International organisation • Privacy and data protection laws • European Convention on Human Rights (ECHR) – a treaty designed to protect human rights, democracy and the rule of law • CoE Convention (also called Convention 108) 11 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection Comparing European 12 institutions Extends EU single markets to non-EU member parties • Creates an internal market • Enables the Four Freedoms (goods, services, persons and capital) European Free Trade Association European Economic Area European Union Module 1: Data protection laws Session notes EU member states: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden The European Economic Area (EEA) is an economic region that includes the European Union (EU) and Iceland, Norway and Liechtenstein—which are not official members of the EU but are closely linked by economic relationship. Non-EU countries in the EEA are required to adopt EU legislation regarding the single market. • Based on the Agreement of the European Economic Area (1994) • Allows members of the European Free Trade Association (EFTA) to participate fully in the internal market Switzerland is not part of the EEA Agreement but does have a bilateral agreement with the EU. European Free Trade Association (EFTA): Iceland, Liechtenstein, Norway and Switzerland United Kingdom: The U.K. formally left the European Union on 1 January 2020. The Trade and Cooperation Agreement signed between the EU and U.K. on 24 December 2020 allowed the transfer of personal data from the EU to the U.K. to continue for up to six-months. The European Commission has now declared the U.K. adequate under the GDPR and Law Enforcement Directive (LED). 12 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection Privacy and data protection laws 13 Charter of Fundamental Rights of the EU European Convention on Human Rights European Union Council of Europe Lisbon Treaty (TFEU) Member state ratification Article 7: Private life, family life, home, communications Article 8: Protects private life, family life, home, communications Article 8: Establishes a separate right Article 8: Includes the right to data to data protection protection (private life) Module 1: Data protection laws Session notes Charter of Fundamental Rights of the EU (CFREU), 2000 • Comprehensive collection of individual rights • Enshrined fundamental rights which became binding through the Treaty of Lisbon (2007) • Limitations provided for by law • Respect the essence of the right • Genuinely meet the objectives of general interest recognised by the EU or the need to protect the rights and freedom of others • Necessary and proportionate Interpretation of the CFREU may not contravene the ECHR, but may provide for higher level of protection. European Convention on Human Rights (ECHR), 1950 (entered into force 1953) • Member state ratification • Based on the Universal Declaration of Human Rights • Key document for fundamental rights in Europe (not only the EU) • In accordance with the law • Necessary in a democratic society • • Public security and safety • Economic well-being of country • Prevention of disorder or crime • Protection of health or morals • Protection of rights and freedoms of others Article 8 is considered to be one of the Convention’s most open-ended provisions 13 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection Comparing European courts 14 Court of Justice of the EU European Court of Human Rights Judicial body of the European Union Part of the apparatus of the Council of Europe Decides on issues of EU law and enforces those decisions Enforces European Convention on Human Rights and Convention 108 Comprises of the Court of Justice (ECJ) and the General Court (renamed ‘Court of First Instance’, CFI) Judges sit in their individual capacity and do not represent any state Data protection as it relates to cases Data protection as it relates to brought by national courts and by the Article 8 Commission against member states Module 1: Data protection laws Session notes Based in Luxembourg, the Court of Justice of the EU is the judicial body of the EU. It makes decisions on issues of EU law and enforces decisions, either in respect of actions taken by the European Commission against a member state or by an individual or organisation to enforce their rights under EU law. The Court comprises the European Court of Justice (ECJ) and the General Court. The Court provides clarification of EU law to national courts to assist the national courts in upholding EU law. Relevant landmark cases include: • Bodil Lindqvist v Åklagarkammaren i Jönköping, Nowak v Data Protection Commssioner • Google Spain v AEPD and Mario Costeja González, Schrems v Data Protection Commissioner, Data Protection Commission v. Facebook Ireland, Schrems • Weltimmo s. r. o. v Nemzeti Adatvédelmi és Információszabadság Hatóság Judgment The European Court of Human Rights (ECHR) in Strasbourg upholds privacy and data protection laws through its enforcement of the European Convention on Human Rights and Convention 108. It is not part of the European Union. The ECHR has also considered the question of the protection of personal data from the viewpoint of the right of access to such data. Relevant landmark cases include: • Niemietz v Federal Republic of Germany, Halford v United Kingdom, Copland v United Kingdom • Bărbulescu v Romania • I v Finland 14 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 15 Data protection: Dawn of a new age • • • 1960s 1970s Developing concerns Module 1: Data protection laws Session notes Data protection: Dawn of a new age • 1960s • Economic and technological advancements • Increasing international trade • Use of computers and telecommunications • 1970s • Conflict between national privacy rights and international free trade • Development of communication technologies • Extensive banks of personal data • New opportunities for international data processing • Developing concerns • Government collection and use of data • Collection of consumer data 15 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 16 Data protection laws The privacy conflict Right to privacy Freedom of speech Module 1: Data protection laws Session notes The privacy tug of war: right to privacy vs. freedom of speech • Contradiction between two fundamental human rights • Increasing relevance in the information age • Right to withdraw consent • Right to lodge a complaint 16 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 17 Data protection laws The privacy tug of war MARIO COSTEJA GONZÁLEZ Module 1: Data protection laws Case study Google Spain v. AEPD and Mario Costeja González Mr. Costeja sued Google Spain, Google Inc. and La Vanguardia newspaper because personal data about him was available through a Google search in the newspaper’s online archives. The Court of Justice of the EU ruled that Google Spain must remove the links to the article. Note: The issue around a platform's responsibility related to content curation—what is accepted and what is not in light of globalisation—predates the Costeja case (e.g., LICRA v. Yahoo!). 17 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 18 Data protection laws An evolving harmonised approach 1980 OECD Guidelines Module 1: Data protection laws Session notes An evolving harmonised approach • 1980: OECD Guidelines (Organisation for Economic Co-operation and Development Guidelines on the Protection of Privacy and Transborder Flows of Personal Data) • Nonbinding • Protection of personal data in a global economy • Principles on collection and use • 2013 revision 18 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 19 Data protection laws An evolving harmonised approach 1980 1981 OECD Guidelines Convention 108 Module 1: Data protection laws Session notes An evolving harmonised approach • 1981*: Convention 108/CoE Convention (The Council of Europe Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data of 1981) • Legally binding treaty of member states (also open to nonmembers) of the Council of Europe • Protection of data subject privacy • Automatically processed personal data *In October 2018, Convention 108+, a version of Convention 108 overhauled to align with the GDPR, was signed by 20 states of the Council of Europe, including the UK. Since then, more states have followed. According to the European Commission, it serves as a means for third countries (those outside the EU) to adopt the basic tenets of the GDPR. 19 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 20 Data protection laws An evolving harmonised approach 1980 1981 1995 OECD Guidelines Convention 108 The EU Data Protection Directive Module 1: Data protection laws Session notes An evolving harmonised approach • 1995: The EU Data Protection Directive (95/46/EC) • Legally binding transposition of member states of the EU 20 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 21 Data protection laws An evolving harmonised approach 1980 1981 1995 2000 OECD Guidelines Convention 108 The EU Data Protection Directive Charter of Fundamental Rights of the EU The E-Commerce Directive Module 1: Data protection laws Session notes An evolving harmonised approach • 2000: • Charter of Fundamental Rights of the EU • The E-Commerce Directive of 2000 (Directive 2000/31/EC) • Issues related to processing personal data excluded from its scope 21 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 22 Data protection laws An evolving harmonised approach 2002 The EU Directive on Privacy and Electronic Communications Module 1: Data protection laws Session notes An evolving harmonised approach • 2002: The EU Directive on Privacy and Electronic Communications (ePrivacy Directive/Cookie Directive) • Communications passed over electronic channels • Particular rules around marketing, cookies, and security breach notifications for internet service providers (ISPs) and telecommunications companies • 2009 amendment 22 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 23 Data protection laws An evolving harmonised approach 2002 2006 The EU Directive on Privacy and Electronic Communications The EU Data Retention Directive Module 1: Data protection laws Session notes An evolving harmonised approach • 2006: The EU Data Retention Directive (2006/24/EC) • Requirements of ISP and telecommunication companies to keep metadata about the communications they carried in case it needed to be accessed for law enforcement purposes • 2014 Digital Rights Ireland case—validity of the Directive challenged and struck down by the Court of Justice of the EU • National data retention laws across the EU 23 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 24 Data protection laws An evolving harmonised approach 2002 2006 2007 The EU Directive on Privacy and Electronic Communications The EU Data Retention Directive The Treaty of Lisbon Module 1: Data protection laws Session notes An evolving harmonised approach • 2007: The Treaty of Lisbon (enforceable in 2009) • The Charter of Fundamental Rights (made binding law) • Development of EU data protection law 24 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 25 Data protection laws An evolving harmonised approach 2002 2006 2007 2016 The EU Directive on Privacy and Electronic Communications The EU Data Retention Directive The Treaty of Lisbon The General Data Protection Regulation Module 1: Data protection laws Session notes An evolving harmonised approach • 2016: The General Data Protection Regulation (GDPR) (became enforceable in 2018) • EU • Successor to the Data Protection Directive (Recital 171; Articles 94, 99) 25 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 26 Data protection laws EU institutions European Council European Commission Council of the EU European Parliament Defines EU’s priorities and sets political direction Implements EU decisions and policies Legislative decision-making Legislative development, supervisory oversight of the other institutions and budget development Module 1: Data protection laws Session notes EU institutions • EU comprises legislative, policy-making and judicial bodies • European Council • Heads of state or government of all EU countries, European Council president, European Commission president, and High Representative for Foreign Affairs and Security Policy • Defines EU’s priorities and sets political direction • European Commission • One commissioner per member state who pledges to respect the EU Treaties • Implements EU’s decisions and policies • Other broad functions, including executive competence to propose legislation • Historically most active EU institution in data protection • Council of the EU • One minister from each member state—changes based on the policy issue to be discussed • Legislative decision-making (along with the Parliament) • Legislation generally proposed by the Commission before being examined by the Council of the EU and the Parliament • European Parliament • Only EU institution whose members are directly elected • Primary responsibilities—legislative development, supervisory oversight of the other institutions and budget development • Greatest impact on data protection and privacy issues through role in legislative process • Frequent advocate for right to data protection • Co-decision Procedure: process by which Council of the EU and European Parliament agree on legislation 26 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 27 EU institutions European Commission Supervises European Parliament Proposes legislation Appoints Council of the EU Co-decision EU law Arbitrates Court of Justice BBC News, “EU institutions: Flow of power,” http://news.bbc.co.uk/hi/english/static/in_depth/europe/2001/inside_europe/eu_institutions/flow_chart.stm Session notes This graphic illustrates the flow of power across EU institutions. Use the GDPR as a prime example to briefly describe the EU’s legislative process. • The European Commission proposed the draft legislation in 2012 and sent a version to the European Parliament and the Council of the EU. • The European Parliament reviewed the draft within committee meetings. They collected thousands of comments/amendments, and that became the European Parliament’s position on the new GDPR. • Meanwhile, the Council of the EU had their own committees that reviewed the draft legislation. That became the Council’s official position on the new draft. • The Parliament and Council got together and tried to jointly agree on the legislation. The European Commission adjudicated the proceedings. This process was called the Trilogue Procedure. • Meanwhile, other groups, such as national parliaments, consumer advocates, and industry advocates, were also expressing their views. • In December 2016, the EU Parliament and Council finally agreed upon the EU General Data Protection Regulation, first proposed in 2012; it went into effect on 25 May 2018. • The European Court of Justice (ECJ) is the judicial body of the EU. It may be involved in cases related to data protection that begin in national courts and are referred to the ECJ for a preliminary ruling on issues of interpretation of EU law. 27 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 28 Chat Pop quiz Which role best describes the European Commission? • Defines EU priorities and sets political direction • Implements EU decisions and policies • Is engaged in legislative decision-making • Has supervisory oversight of the other institutions Module 1: Data protection laws Chat: Pop quiz Which role best describes the European Commission? • Defines EU priorities and sets political direction • Implements EU decisions and policies • Is engaged in legislative decision-making • Has supervisory oversight of the other institutions 28 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection Data protection laws 29 Data Protection Directive • Does not apply directly • Minimise harmonisation • 31 national data protection acts with a lot of variances General Data Protection Regulation (GDPR) • Applies directly • Full harmonisation, but national law may clarify, specify and supplement Module 1: Data protection laws Session notes Every member state inevitably has some local differences in the law. The result is 31 laws that all broadly say the same thing but have slight differences. The GDPR was intended to eliminate those differences. However, about 50 provisions in the GDPR allow for local law clarification/exception. Whether or not the GPDR was a radical change depended on how similar your country’s data protection law was to the GDPR. Data Protection Directive • Directive similar to cloning yet with variances • Obligations were on member states • Member states’ governments implemented the Directive into local law • Directive was transposed into national laws in EU • Local laws/implementation differ across member states • Article 29 Working Party (WP29) issued opinions/interpretation of the Directive GDPR • Directly applicable and enforceable as law in every EU member state • Goal is to provide just one set of data protection rules for all EU member states • However, 50 provisions allow for local law clarification or exception • National laws either repealed or amended to align with GDPR • European Data Protection Board (EDPB) replaced the WP29 in 2018—to be discussed later in the training; WP29 GDPR guidelines endorsed by the EDPB • GDPR full text: http://eur-lex.europa.eu/eli/reg/2016/679/oj • European Commission GDPR guidance website: https://ec.europa.eu/commission/priorities/justice-and-fundamentalrights/data-protection/2018-reform-eu-data-protection-rules_en • IAPP “EU Member State GDPR Derogation Implementation Tracker”: https://iapp.org/resources/tools/eu-member-stategdpr-derogation-implementation 29 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection Data protection laws ePrivacy 30 Cookies: ePrivacy Overlap GDPR Storing/accessing data on device Processing of ‘personal data’ European Data Protection Board, “Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR…” Adopted 12 March 2019, https://edpb.europa.eu/sites/edpb/files/files/file1/201905_edpb_opinion_eprivacydir_gdpr_interplay_en_0.pdf Session notes The ePrivacy Directive is discussed in more depth in Module 8. • Processing that triggers the material scope of both • • • Interplay • • • • • ePrivacy Directive: electronic communications service, electronic communications network, and service and network publicly available and offered in the EU; website operators (e.g., for cookies) or other businesses (e.g., for direct marketing) GDPR: ‘any form of processing of personal data, regardless of the technology used’ ‘To particularise’ (lex specialis principle): ‘Special provisions prevail over general rules’ ‘To complement’: Several ePrivacy Directive provisions complement GDPR provisions Article 95 of the GDPR: The aim is ‘to avoid the imposition of unnecessary administrative burdens upon controllers who would otherwise be subject to similar but not quite identical administrative burdens’ Co-existence: In cases where lex specialis does not apply, the general rule will apply (lex generalis) Competence, tasks and powers of data protection authorities: ‘When the processing of personal data triggers the material scope of both the GDPR and the ePrivacy Directive, data protection authorities are competent to scrutinise the data processing operations which are governed by national ePrivacy rules only if national law confers this competence on them, and such scrutiny must happen within the supervisory powers assigned to the authority by the national law transposing the ePrivacy Directive’ Examples • • Processing that triggers the material scope of both the GDPR and ePrivacy Directive • Article 29 Working party’s opinion on online behavioral advertising: ‘If as a result of placing and retrieving information through the cookie or similar device, the information collected can be considered personal data’ Interplay • ‘To particularise’: ‘The full range of possible lawful grounds provided by Article 6 GDPR cannot be applied by the provider of an electronic communications service to processing of traffic data, because Article 6 ePrivacy Directive explicitly limits the conditions in which traffic data, including personal data, may be processed’ • Article 95 of the GDPR: Personal data breach notification obligations 30 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 31 Review question 1. Which of the following data protection milestones is a treaty amongst member states of the Council of Europe? A. Data Retention Directive B. Charter of Fundamental Rights C. Convention 108 D. ePrivacy Directive E. GDPR Module 1: Data protection laws Review question NOTE: Review questions are intended to help reinforce key topics covered in the module. They are not meant to represent actual certification exam questions. 1. Which of the following data protection milestones is a treaty amongst member states of the Council of Europe? A. Data Retention Directive B. Charter of Fundamental Rights C. Convention 108 D. ePrivacy Directive E. GDPR 31 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 32 Review question 2. Which of the following data protection milestones applies to public electronic communications services and networks? A. Data Retention Directive B. Charter of Fundamental Rights C. Convention 108 D. ePrivacy Directive E. GDPR Module 1: Data protection laws Review question 2. Which of the following data protection milestones applies to public electronic communications services and networks? A. Data Retention Directive B. Charter of Fundamental Rights C. Convention 108 D. ePrivacy Directive E. GDPR 32 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 33 Review question 3. The European Convention on Human Rights is a product of which institution? A. The United Nations B. The Council of Europe C. The European Union D. The European Economic Area Module 1: Data protection laws Review question 3. The European Convention of Human Rights is a product of which institution? A. The United Nations B. The Council of Europe C. The European Union D. The European Economic Area 33 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 34 4. Which role best describes the European Parliament? Review question A. Defines EU priorities B. Sets political direction C. Implements EU decisions and policies D. Is engaged in legislative development Module 1: Data protection laws Review question 4. Which role best describes the European Parliament? A. Defines the EU priorities B. Sets political direction C. Implements EU decisions and policies D. Is engaged in legislative development 34 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 35 Module 2: Personal data Learning objectives • Differentiate between personal, anonymous and pseudonymous data • Recognise special categories of data Module 2 learning objectives • Differentiate between personal, anonymous and pseudonymous data. • Recognise special categories of data. 35 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 36 Personal data Four-step test any information... What qualifies as information? relating to... an identified or identifiable... natural person When does information relate to a person? What is identity? What is a natural person? When is someone identifiable? Module 2: Personal data Session notes Four-step test: ‘Any information relating to an identified or identifiable natural person (“data subject”)’ (Article 4[1]) The criteria do not have to be considered in any particular order, yet all must be met. 36 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 37 Anonymous Module 2: Personal data Session notes Anonymous data (Recital 26) • Not related to an identified or an identifiable natural person • Has been rendered unidentifiable • Not considered personal data under the GDPR 37 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection Pseudonymous 38 Anonymous Module 2: Personal data Session notes Pseudonymous data (Recitals 26, 28-29; Articles 4[5], 6[4][e], 25[1], 32[1][a]) • Not fully anonymous • A process that detaches the aspects of the data attributed to a specific individual • A security measure that makes the use of the data less risky • Subject to data protection law 38 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 39 Chat Knowledge check Can you rewrite the following statement to anonymise the personal data? Mr. Weber, CEO of Munich Ltd., earns €10,389,290.89. Module 2: Personal data Chat: Knowledge check Can you rewrite the following statement to anonymise the personal data? Mr. Weber, CEO of Munich Ltd., earns €10,389,290.89. 39 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 40 Personal data Special categories of personal data Personal data revealing ... racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership Module 2: Personal data Session notes Click slide to reveal text. Special categories of personal data • Type of personal data • Its processing has a more profound impact on individuals’ privacy rights • Has a higher standard of protection • Article 9(1): ‘Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited’ • Personal data revealing … • Racial or ethnic origin • Political opinions • Religious or philosophical beliefs • Or trade-union membership 40 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 41 Personal data Special categories of personal data • Genetic data • Biometric data for the purpose of uniquely identifying a natural person Module 2: Personal data Session notes Special categories of personal data • Genetic data • Biometric data for the purpose of uniquely identifying a natural person 41 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 42 Personal data Special categories of personal data Data concerning ... health, sex life or sexual orientation Module 2: Personal data Session notes Special categories of personal data • Data concerning … • Health • Sex life • Or sexual orientation 42 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 43 Personal data Other special categories of personal data Data related to … criminal convictions and offences • Not considered special data, but subject to limitations on processing Module 2: Personal data Session notes Other • Personal data related to criminal convictions and offences • Article 10: Processing of such personal data ‘shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects’. And ‘Any comprehensive register of criminal convictions shall be kept only under the control of official authority’. 43 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 44 Chat Knowledge check Keeping the subjective nature of this exercise in mind, provide examples that would likely belong to special categories of personal data under the GDPR. Module 2: Personal data Session notes • A data element’s designation as belonging to a special category may not be obvious • Example: An X-ray of a broken arm would obviously qualify as data concerning health; however, a photograph from a holiday party showing an individual with his arm in a cast may not, as the photograph does not necessarily concern that person’s health Chat: Knowledge check Keeping the subjective nature of this exercise in mind, provide examples that would likely belong to special categories of personal data under the GDPR. 44 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 45 1. What is the function of the four-step test? Review question A. Determine if personal data belongs to special categories B. Determine if personal data is anonymous C. Determine if data qualifies as personal data D. Determine if personal data is pseudonymous Module 2: Personal data Review question NOTE: Review questions are intended to help reinforce key topics covered in the module. They are not meant to represent actual certification exam questions. 1. What is the function of the four-step test? A. Determine if personal data belongs to special categories B. Determine if personal data is anonymous C. Determine if data qualifies as personal data D. Determine if personal data is pseudonymous 45 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 46 Review question 2. Which criteria are used to identify personal data? Select all that apply. A. ‘any information’ B. ‘relating to’ C. ‘an identified or identifiable’ D. ‘or anonymous’ E. ‘natural person’ Module 2: Personal data Review question 2. Which criteria are used to identify personal data? Select all that apply. A. ‘any information’ B. ‘relating to’ C. ‘an identified or identifiable’ D. ‘or anonymous’ E. ‘natural person’ 46 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection Review question A. Personal data revealing political opinions B. Personal data revealing religious or philosophical beliefs C. Personal data revealing financial information D. Genetic data used to uniquely identify a natural person E. Data relating to personal interests and hobbies 47 3. Select the types of personal data elements that belong to special categories under the GDPR. Module 2: Personal data Review question 3. Select the types of personal data elements that belong to special categories under the GDPR. A. Personal data revealing political opinions B. Personal data revealing religious or philosophical beliefs C. Personal data revealing financial information D. Genetic data used to uniquely identify a natural person E. Data relating to personal interests and hobbies 47 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 48 Review question 4. True or false: Anonymising personal data is always possible. Module 2: Personal data Review question 4. True or false: Anonymising personal data is always possible. 48 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 49 Review question 5. True or false: Pseudonymous data is protected by the GDPR. Module 2: Personal data Review question 5. True or false: Pseudonymous data is protected by the GDPR. 49 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 50 Review question 6. Is the collection and use of device dynamic IP addresses to allow data on a website to be transferred to the correct recipient considered personal data? Why or why not? Module 2: Personal data Review question 6. Is the collection and use of device dynamic IP addresses to allow data on a website to be transferred to the correct recipient considered personal data? Why or why not? 50 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 51 Module 3: Controllers and processors Learning objectives • Define data protection roles • Describe basic configurations of control over personal data Module 3 learning objectives • Define data protection roles. • Describe basic configurations of control over personal data. 51 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 52 Data protection roles Data subject Data controller Data processor Data protection authority (DPA)/ Supervisory authority (SA) Module 3: Controllers and processors Session notes Data protection roles • Basic definitions (not GDPR-specific) • Data subject: An individual about whom personal data is processed • Data controller: An organisation or individual that decides how and why personal data is processed • Data processor: An organisation or individual that processes information on behalf of the data controller • Data protection authority (DPA), referred to as supervisory authority (SA) in GDPR: • An entity appointed to enforce privacy or data protection laws and regulations in a particular jurisdiction • GDPR-specific definitions of these roles explored throughout the course 52 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 53 Chat Pop quiz Jim is employed by a construction company in Belgium. The Human Resources department at the construction company keeps Jim’s personal data on file. The construction company contracts with a payroll administration that directly deposits Jim’s paycheck into his bank account. The Belgian Privacy Commission provides regulatory oversight to ensure Jim’s company follows EU and national data protection laws. Who is the data processor in this scenario? Module 3: Controllers and processors Chat: Pop quiz Jim is employed by a construction company in Belgium. The Human Resources department at the construction company keeps Jim’s personal data on file. The construction company contracts with a payroll administration that directly deposits Jim’s paycheck into his bank account. The Belgian Privacy Commission provides regulatory oversight to ensure Jim’s company follows EU and national data protection laws. Who is the data processor in this scenario? 53 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 54 Controller Definition • Article 4(7): ‘the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data’ Module 3: Controllers and processors Session notes Article 4(7) • Natural or legal person, public authority, agency or other body • Living human being • Or legal entity • Alone or jointly with others (see following slides) • Different configurations of control • Determines the purposes and means of processing • Why? (purposes) • How? (means) • What data? • How long? (retention) • Where? (storage and data transfers) • By whom? • It is not necessary that the controller actually has access to the data that is being processed to be qualified as a controller. Following slides will define ‘joint controller’ and ‘processor’. 54 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 55 Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. (Article 26) Module 3: Controllers and processors Session notes Article 26 of the GDPR specifies obligations for controllers that jointly determine the purposes and means of processing personal data. • ‘In a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation’ • Data subject rights • Data subject access requests • Contact point for data subjects • ‘Essence of the arrangement’ available to data subjects • Data subjects may exercise their rights against either controller, ‘irrespective of the terms of the arrangement’ EDPB Guidelines 07/2020 • Joint participation can take the form of: • A common decision taken by two or more entities • Converging decisions by two or more entities • Decisions complement each other and are necessary for the processing to take place • Tangible impact on the determination of the purposes and means of the processing • Processing would not be possible without both parties’ participation i.e., inextricably linked Resource: “Guidelines 07/2020 on the concepts of controller and processor in the GDPR,” Adopted 7 July 2021 55 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 56 Controller Which examples illustrate a controller determining the means and purposes of processing ‘jointly with others’? A. Sets up an internet-based common platform for joint marketing actions A travel agency… C. Collaborates with a separate organisation to run a co-branded promotional event with a prize draw. B. Uses a marketing firm to carry out its mail marketing campaigns. D. Shares personal data with airlines and hotels. Each party is responsible for its own processing. Module 3: Controllers and processors Session notes Which examples illustrate a controller determining the means and purposes of processing ‘jointly with others’? • Scenario A • Group of companies: Two or more group entities determine together the purpose and means for the same processing (e.g., to provide package travel deals) • Joint responsibility • Separate data • Shared technical database/infrastructure used for individual purposes (e.g., internet-based common platform) • Scenario B (Processor obligations are discussed on the following slide) • Disclosure to an internal or external processor • Respective rights and obligations of controller and processor • Scenario C • The database for the prize draw is shared between both organisations • Joint responsibility • Scenario D • Personal data shared from one controller to another controller (disclosure to a third-party controller) • Each party responsible for its own processing of the data The EDPB Guidelines 07/2020 on the concepts of ‘controller’ and ‘processor’ may serve as a helpful resource for determining if a controller operates ‘jointly with others’. The EDPB Guidelines are available at: https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf 56 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 57 Processor Definition • Article 4(8): ‘a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller’ • Guidelines 07/2020: two basic conditions for qualifying as a processor Module 3: Controllers and processors Optional raise hand Who works for an organisation that uses vendors that process personal data on behalf of it? Session notes Processor definition • Processes on written instructions only (Article 28) • Obtains authorisation • Provides a service to the controller (Article 28) • Assists the controller and informs the controller of GDPR infringements • Protects personal data (Article 28) • Ensures confidentiality and appropriate technical and organisational measures • Demonstrates compliance (Article 30) • • Keeps a record of processing activities on all categories of personal data processing carried out on behalf of the controller Enhanced obligations under the GDPR The GDPR enhances processors’ duties and liabilities. (Yet the burden for data protection still rests heaviest on the controller.) The role of processor is specific to the processing operation: you can be a controller for one particular processing ope ration, a processor for another, and so on. EDPB Guidelines 07/2020 • Qualifying criteria: • Separate entity in relation to the controller • Processes personal data on the controller’s behalf • Controller’s instructions leave some degree of discretion 57 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 58 If a processor infringes this Regulation by determining the purposes and means of processing, the processor shall be considered to be a controller in respect of that processing (Article 28) Module 3: Controllers and processors Session notes A processor that ‘determines the purposes and means of the processing’ (Article 4[7]) may be a controller in fact When determining the controller, the act of making processing decisions (although not necessarily lawful) can trump law and contract. Case study SWIFT (example of factual controller) Following September 11, 2001, the United States Department of the Treasury served administrative subpoenas on the Society for Worldwide Interbank Financial Telecommunication (SWIFT), which required SWIFT to transfer personal data. SWIFT’s decision to transfer the data designated it as the controller, even though its contractual designation was processor. 58 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 59 Processor Vendor management • Choose reliable processors • Maintain quality control and compliance throughout the duration of the arrangements • Frame the relationship in a contract (or other legally binding act) Module 3: Controllers and processors Session notes The GDPR’s requirements for vendor risk management may seem straightforward; however, translating its requirements into practical action points may pose challenging for the following reasons: • Determining the extent to which the controller can rely upon the processor to attest and monitor its own reliability • Determining the extent to which the controller needs to evaluate third parties before and after contracting, including conducting audits • Complex contractual provisions • Negotiating contracts between two parties of unequal bargaining power or from EU and non-EU jurisdictions • Situations that involve cloud computing; difficulties knowing the precise nature of data processing operations at any given moment in time A checklist may provide issues to consider at the pre-contractual due diligence stage and evidence that the necessary steps were taken. See the following slide for more details. 59 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 60 Engaging processors Pre-contractual duediligence • Appropriate technical and organisational measures to secure data • Processor’s data protection knowledge • Recent high-profile breaches • Under investigation? • Accreditation • Processor’s policy framework • Sub-processors Module 3: Controllers and processors Session notes • GDPR obligations on processors • Accountability (e.g., record-keeping, appointing data protection officer where applicable) • Data subjects’ rights Engaging processors: controller pre-contractual due diligence • Controller must ensure processors implement appropriate technical and organisational measures to secure data • Security prioritised from beginning of controller relationship with potential processor • Ensure enough controls to protect data shared with processor 60 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 61 Engaging processors Components of a contract Article 28 • Subject matter, duration and nature of the data processing • Types of personal data and categories of data subjects • Obligations and rights of the controller • The processor’s responsibilities Module 3: Controllers and processors Session notes Controller-processor contracts (Article 28) • If a controller is engaging a data processor, the controller is obligated to have a documented contract in place that contains: • Subject matter, duration and nature of the data processing • Types of personal data and categories of data subjects • Obligations and rights of the controller • The processor’s responsibilities 61 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 62 Engaging processors Contractual terms  Process on documented instructions only  Ensure confidentiality  Implement appropriate security  Get controller’s consent to engage processors  Assist with data breach notifications  Delete or return personal data  Assist the controller in providing for data subject rights  Demonstrate GDPR compliance  Contribute to audits, including inspections Module 3: Controllers and processors Session notes Engaging processors: contractual terms (Article 28) • Process personal data only on documented instructions from controller • • Including international data transfers Ensure persons authorised to process personal data have committed themselves to confidentiality • Or are under statutory duty of confidence (i.e., processor’s employees sign NDAs) • Implement appropriate technical and organisational measures • Seek controller consent to engage processors • And flow down all terms of contract with controller to sub-contractor • Assist controller in reporting and notifying supervisory authorities and affected individuals of data breaches • Assist the controller in responding to requests for exercising data subject rights • Delete or return all personal data if instructed by controller • Make available to controller all information necessary to demonstrate GDPR compliance • Be prepared to submit to audits, including inspections • By controller or another auditor chosen by controller 62 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 63 Review question 1. True or false: A data controller may be a natural person or a legal entity, while a data processor must be a legal entity. Module 3: Controllers and processors Review question NOTE: Review questions are intended to help reinforce key topics covered in the module. They are not meant to represent actual certification exam questions. 1. True or false: A data controller may be a natural person or a legal entity, while a data processor must be a legal entity. 63 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 64 Review question 2. True or false: A contract protects a processor from being held to the same legal obligations as the controller. Module 3: Controllers and processors Review question 2. True or false: A contract protects a processor from being held to the same legal obligations as the controller. 64 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 65 Review question 3. True or false: A processor may decide where and how to process personal data. Module 3: Controllers and processors Review question 3. True or false: A processor may decide where and how to process personal data. 65 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 66 Review question 4. What actions can a controller take to manage vendor risk? Module 3: Controllers and processors Review question 4. What actions can a controller take to manage vendor risk? 66 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 67 Learning objectives Module 4: Processing personal data • List operations in the data-processing life cycle that constitute data processing • Describe the seven data-processing principles, especially as they relate to determining the purposes for processing • Determine the application of the GDPR based on territorial and material scope • Determine if a data-processing activity is legal under the GDPR based on legitimate processing criteria Module 4 learning objectives • List operations in the data-processing life cycle that constitute data processing. • Describe the seven data-processing principles, especially as they relate to determining the purposes for processing. • Determine the application of the GDPR based on territorial and material scope. • Determine if a data-processing activity is legal under the GDPR based on legitimate processing criteria. 67 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 68 Controllers and processors Processing: ‘Any operation’ performed upon personal data Module 4: Processing personal data Session notes To convey the scope of data processing rules and regulations, first define data processing. • Much more than just collecting personal data • Article 4(2): ‘Any operation’ performed upon data 68 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 69 Processing personal data GDPR principles • Lawfulness, fairness and transparency • Purpose limitation • Storage limitation • Integrity and confidentiality • Accountability • Data minimisation • Accuracy Module 4: Processing personal data Session notes GDPR Principles for processing • Article 5 • Carried over from earlier laws and regulations, including OECD Guidelines • May be broadly interpreted; however, violators may incur large administrative fines • Lawfulness, fairness and transparency of processing: Honest practices, such as communicating openly with data subjects about personal data processing activities • Purpose limitation: Collecting and processing personal data for the specified purpose only • To determine if personal data may be processed further, use a compatibility test to look for links between purposes, nature of the data, method of collection, consequences of secondary uses and safeguards • Data minimisation: Processing only personal data that is relevant and necessary for the purpose • Data quality and accuracy: Processing complete and up-to-date personal data • Storage limitation: Retaining only personal data that is relevant and necessary for the purpose • Integrity and confidentiality: Ensuring personal data is secure • Accountability: Processing personal data responsibly and demonstrating compliance with EU and member state data protection laws 69 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 70 Enforcement action Denmark DPA recommends GDPR fine for taxi company (2019) Module 4: Processing personal data Session notes Denmark DPA recommends GDPR fine for taxi company (2019) Denmark’s data protection authority, Datatilsynet, recommended a fine of 1.2 million Danish krones ($180,000) to taxi company Taxa 4x35 for violations of the GDPR, Bloomberg Law reports. The DPA found the taxi company did not adhere to the GDPR’s data-minimisation principle. While Taxa deleted the names from all its records after two years, the rest of the ride records remained intact. The DPA recommended the fine after it was discovered the taxi company continued to hold onto individuals’ phone numbers after their names were removed from the records. 70 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 71 Enforcement action Dutch DPA hits tennis association with 525K euro GDPR fine (2020) IAPP, “Dutch DPA hits tennis association with 525K euro GDPR fine,” Daily Dashboard, 4 March 2020, https://iapp.org/news/a/dutch-dpa-hits-tennis-association-with-520k-euro-gdpr-fine/. Session notes Dutch DPA hits tennis association with 525K euro GDPR fine (2020) Sponsors of the Royal Dutch Lawn Tennis Association (KNLTB) received personal data in the form of names, genders and addresses from the association for the purpose of marketing tennis-related and other offers to KNLTB members. The Dutch Data Protection Authority served the KNLTB with a 525K euro fine declaring that the association did not have any basis under the GDPR data processing principles for sharing personal information of its members with sponsors. The KNLTB states that the data sharing was based on legitimate interest under the GDPR and has objected to the fine. 71 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 72 Chat Knowledge check An access control system used for building security is later used to pull login data to track employee punctuality. The employees are not informed of this new processing action, and the controller does not keep consistent records of the processing activities. Which GDPR principles may have been violated? Module 4: Processing personal data Chat: Knowledge check An access control system used for building security is later used to pull login data to track employee punctuality. The employees are not informed of this new processing action, and the controller does not keep consistent records of the processing activities. Which GDPR principles may have been violated? 72 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 73 Processing personal data Territorial scope of the GDPR: Three criteria 1. Where the data is processed in the context of the activities of an establishment of a controller or processor in the EU Module 4: Processing personal data Session notes The GDPR lays out specific criteria for its application, which covers territorial and material scope (material scope covered later in this module). Territorial scope relies on three criteria as set out in Article 3 of the GDPR. Just one of these criteria must be met for the GDPR to be applicable. 1. Where the data is processed in the context of the activities of an establishment of controller or processor in the EU (regardless of whether or not the actual processing takes place in the EU) • EDPB guidance: A processor is not necessarily an establishment of a controller based on its status of processor alone 73 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 74 Processing personal data Territorial scope of the GDPR: Three criteria 1. Where the data is processed in the context of the activities of an establishment of a controller or processor in the EU 2. Intentional processing of personal data of data subjects in the EU relating to offering goods or services or intentional monitoring behaviour in the EU Module 4: Processing personal data Session notes The GDPR lays out specific criteria for its application, which covers territorial and material scope (material scope covered later in this module). Territorial scope relies on three criteria as set out in Article 3 of the GDPR. Just one of these criteria must be met for the GDPR to be applicable. 2. Intentional processing of personal data of data subjects in the EU relating to offering goods or services or intentional monitoring behaviour in the EU (where the controller or processor is not established in the EU) • Data subject-centric way of determining applicability of the law • EDPB guidance: Processing personal data of individuals in the EU alone is not the trigger; the important element is ‘targeting’ • Offering of goods and services to data subjects residing in the EU (a website directed at the relevant jurisdiction) • Monitoring • Digital tracking of behavior • EDPB guidance: plus CCTV usage and market surveys • A ubiquitous practice • EDPB guidance: not just any online collection or analysis of personal data, but dependent on purpose 74 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 75 Processing personal data Territorial scope of the GDPR: Three criteria 1. Where the data is processed in the context of the activities of an establishment of a controller or processor in the EU 2. Intentional processing of personal data of data subjects in the EU relating to offering goods or services or intentional monitoring behaviour in the EU 3. Processing of personal data by a controller not established in the EU but in a place where member state law applies by virtue of public international law Module 4: Processing personal data Session notes The GDPR lays out specific criteria for its application, which covers territorial and material scope (material scope covered later in this module). Territorial scope relies on three criteria as set out in Article 3 of the GDPR. Just one of these criteria must be met for the GDPR to be applicable. 3. Processing of personal data by a controller not established in the EU but in a place where member state law applies by virtue of public international law • EDPB guidance: Requires a designated representative in the Union. The representative must be established in one of the Member States where a service is being offered. The name and contact details of the data controller and its representative in the Union must be made available to data subjects. Resources: “Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)” Adopted 12 November 2019 https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_cons ultation_en_1.pdf “Guidelines 05/2018 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR,” Adopted 18 November 2021 https://edpb.europa.eu/system/files/2021-11/edpb_guidelinesinterplaychapterv_article3_adopted_en.pdf 75 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 76 • 76 Material Materialscope: scope:‘processing ‘processing of ofpersonal personaldata datawholly whollyor or partly partlyby byautomated automatedmeans’ means’ or or‘processing ‘processingother otherthan thanby by automated automatedmeans meansof ofpersonal personal data datawhich whichform formpart partof ofaa filing filingsystem’ system’(Article (Article2) 2) Module 4: Processing personal data Session notes Material scope (Article 2) • ‘Processing of personal data wholly or partly by automated means’ • Any processing operation performed without or partly without human intervention • No to be confused with automated decision-making, which has strict restrictions under the GDPR (discussed in Module 5) • ‘Personal data which forms part of a filing system’ • Or are intended to form part of a filing system • Even if the processing is not conducted by automated means • Exclusions • Activities outside the scope of EU law (e.g., national security activities) • Law enforcement and public security • Purely personal or household activities 76 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 77 Material scope Module 4: Processing personal data Case study Bodil Lindquist v. Åklagarkammaren (2003) Mrs. Lindquist (whose purposes were mostly charitable and religious) published on a private home page personal data about her colleagues, including telephone numbers and information about a coworker’s injured foot and medical leave. This case raised the question if a private home page accessible to only those who have the address is permitted under one of the exclusions (household activity). The Court of Justice of the EU ruled that it is not. 77 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 78 Processing personal data Lawful grounds • 78 Consent Module 4: Processing personal data Session notes Lawful grounds (Article 6) • If activities fall within the territorial and material scope of the GDPR … • One of six conditions must be met • Consent from the data subject for a specific processing purpose • Commonly used • However, under the GDPR additional conditions must be met • Conditions for consent • Demonstrable (if processing based on consent) • If a written declaration, clearly distinguishable, etc. • Right to withdraw any time (as easy as it was to give) • Not conditional for performance of contract if not necessary 78 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 79 Processing personal data Lawful grounds • 79 Consent Contractual necessity Module 4: Processing personal data Session notes Lawful grounds (Article 6) • Performance of a contract • If the processing is necessary to perform the contract (and the data subject is a party to the contract) • Or if the data subject requests the processing in order to enter into a contract 79 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 80 Processing personal data Lawful grounds • 80 Consent Contractual necessity Legal obligation Module 4: Processing personal data Session notes Lawful grounds (Article 6) • Compliance with a legal obligation to which the controller is subject • Meant to be interpreted narrowly • Applies to legal obligations required by EU and member state laws only • Does not include legal obligations of contracts or those of third countries (outside the EU) 80 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 81 Processing personal data Lawful grounds • 81 Consent Contractual necessity Legal obligation Vital interests Module 4: Processing personal data Session notes Lawful grounds (Article 6) • Protection of vital interests of the data subject or another natural person • If personal data must be processed to ensure an individual’s survival • Should only be used in an emergency situation and if no other option is available 81 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 82 Processing personal data Lawful grounds • 82 Consent Contractual necessity Legal obligation Vital interests Public interest Module 4: Processing personal data Session notes Lawful grounds (Article 6) • Necessary for the public interest or in the exercise of official authority of the controller • Controller required to process personal data in the public interest • Member state legislation may determine what tasks fall within the public interest 82 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 83 Processing personal data Lawful grounds for controllers • 83 Consent Contractual necessity Legal obligation Vital interests Public interest Legitimate interests Module 4: Processing personal data Session notes Lawful grounds (Article 6) • Necessary for the legitimate interests of the controller or a third party (unless overridden by the interests, rights or freedoms of the data subject, in particular where the data subject is a child) • Has often been used as a safety net in the absence of another legitimate basis for processing personal data • While it may still prove a more realistic option than consent, it should be used with caution 83 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 84 Processing personal data Consent • Clear affirmative act • Freely given • Specific and informed • Unambiguous indication of wishes • Written, electronic, oral or any other means • Conditions “Guidelines 05/2020 on consent under Regulation 2016/679,” Adopted 4 May 2020, https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf. Session notes Consent has always been one of the cornerstones of EU data protection; however, under the GDPR, the conditions for consent have become elevated. The elevated requirements for consent have made it difficult to obtain lawfully. Consent (Recitals 32, 42-43; Articles 4[11], 7) • Freely given • Not if service or performance of contract is conditional upon consent (unless consent is necessary for the performance of the contract) • Not if there is a clear imbalance of power between the data subject and the controller (e.g., controller public authority) • Data subject chooses to have personal data processed • Can withdraw at any time (as easy to withdraw as it is to give consent) • Specific • Informed of all intended purposes at the time of consent (additional consent may be required if another purpose arises) • Some flexibility for research and scientific purposes (data subject gives consent with as much specificity as possible, knowing other uses within the same general area of scientific research may arise) • Informed • Data subject informed, at least, of the controller’s identity, purpose for processing, and information about how processing may affect data subjects • Controller can demonstrate data subject was informed prior to consent • Clearly distinguishable from other matters • Intelligible, clear and in plain language • Compatible with the original purpose 84 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 85 Processing personal data Consent • Clear affirmative act • Freely given • Specific and informed • Unambiguous indication of wishes • Written, electronic, oral or any other means • Conditions “Guidelines 05/2020 on consent under Regulation 2016/679,” Adopted 4 May 2020, https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf. Session notes Consent (Recitals 32, 42-43; Articles 4[11], 7) (cont.) • Unambiguous indication of wishes • Absolutely clear • Clearly an affirmative action (e.g., opt-in, technical setting for information society services, browser setting) • Not silence, inactivity, a pre-ticked box or opt-out • Implied through the provision of data • Conditions for consent • Demonstrable (if processing based on consent) • If a written declaration, clearly distinguishable, etc. • Right to withdraw any time (as easy as it was to give) • Not conditional for performance of contract if not necessary 85 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 86 Processing personal data Consent for children’s data Article 8 • Information society services • Authorisation of parent or guardian of children below 16 years old • Reasonable efforts to verify Module 4: Processing personal data Session notes Obtaining consent for processing children’s personal data • Even more rigorous when information society services are being offered • Including online technologies (e.g., social media and apps) • Consent must be given by a parent or guardian when the child is younger than 16 years old • Member states can lower threshold to as young as 13 years old • Controller must make reasonable efforts to verify 86 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 87 Chat Brainstorm Methods a controller may use to verify parental authorisation Module 4: Processing personal data Session notes • Think about the children you know and all the online technologies they use (and how often) • Imagine the difficultly for parents to consent to every service a child uses online, including social media and apps Chat: Brainstorm Methods a controller may use to verify parental authorisation 87 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 88 Processing personal data Legitimate interests • Processing is necessary • Interests are balanced against the data subject’s • Criteria is more restrictive Module 4: Processing personal data Session notes Legitimate interests of the controller or third party (Recitals 47–49) • Processing is necessary to meet the controller or third party’s legitimate interests • Interests are balanced against the data subject’s (balancing test) • An attractive alternative to consent, yet no longer a fallback option • Criteria is more restrictive • Compliance with other legal obligations • Transparency • Economic interests not necessarily sufficient • Importance of upholding fundamental rights and freedoms of the data subjects • Use limitation: compatibility • Adequate safeguards for secondary uses, including pseudonymisation and encryption 88 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection Processing personal data 89 Article 9: Special categories of personal data Prohibition to process, except if: Explicit consent In the context of employment Vital interests of individual Political, philosophical and religious purposes Sensitive data manifestly made public Module 4: Processing personal data Session notes • Explicit consent • • Unambiguous, freely given, specific and informed, and a clear affirmative act by the data subject In the context of employment • When the processing of special categories is necessary for the controller to comply with a legal obligation under employment, social security and social protection law • When data subjects are candidates, employees, contractors • Vital interests of individual • Controller must be able to demonstrate that it is not possible to obtain consent • Political, philosophical and religious purposes • Covers particular foundations, associations, not-for-profit bodies and any foundation, association or notfor-profit body with trade union aim • Relates to the processing of special categories of data about members of the organisation, former members or those who have regular contact with the organisation for the organisation’s purposes • Appropriate safeguards in place to protect personal data • The data must not be disclosed outside the organisation without the data subject’s consent • Sensitive data manifestly made public by the data subject • When data subjects disclose sensitive data about themselves (e.g., details about political opinions or health while giving a media interview) • Data collected from social networking sites 89 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection Processing personal data 90 Article 9: Special categories of personal data (continued) Prohibition to process, except if: Establishment, exercise or defence of legal claims Substantial public interest Medicine and social healthcare Public health Public archives, scientific or historical research, or statistical Module 4: Processing personal data Session notes • Establishment, exercise or defence of legal claims • Controller must establish necessity • Close and substantial connection between the processing and the purpose • Substantial public interest • Narrower under GDPR • Reason for processing balanced with data subject’s right to data protection • Suitable and specific measures to safeguard data subject’s fundamental rights and interests • Member states can specify reasons of public interest (e.g., preventing and detecting crime) • Medicine and social healthcare • Assessing the working capacity of an employee, making a medical diagnosis, providing health or social care or treatment, managing health or social care systems or services • Reason for processing based on EU or member state law, or necessary to fulfil a contract • Public health • Based on EU or member state law • GDPR examples: ‘Protecting against serious cross-border threats to health or ensuring high standards of quality and safety in health care and of medicinal products or medical devices’ • Public • • • archives or scientific or historical research or statistical Further interpretation from member state law Processing proportionate to the purpose Suitable and specific measures to safeguard data subject’s fundamental rights and interests 90 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 91 1. What is data processing? Review question A. Any action involved in collecting personal data B. Any action performed upon data C. Any action involved in securing and protecting data D. Any action that adapts or alters data Module 4: Processing personal data Review question NOTE: Review questions are intended to help reinforce key topics covered in the module. They are not meant to represent actual certification exam questions. 1. What is data processing? A. Any action involved in collecting personal data B. Any action performed upon data C. Any action involved in securing and protecting data D. Any action that adapts or alters data 91 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection Review question A. Where the data is processed in the context of the activities of an establishment of a controller or processor in the EU B. Intentional processing of personal data of data subjects in the EU relating to offering goods or services or intentional monitoring of behaviour in the EU C. Processing of personal data by a controller not established in the EU but in a place where member state law applies 92 2. What are the criteria used to determine the territorial scope of the GDPR? Select all that apply. Module 4: Processing personal data Review question 2. What are the criteria used to determine the territorial scope of the GDPR? Select all that apply. A. Where the data is processed in the context of the activities of an establishment of a controller or processor in the EU B. Intentional processing of personal data of data subjects in the EU relating to offering goods or services or intentional monitoring of behaviour in the EU C. Processing of personal data by a controller not established in the EU but in a place where member state law applies 92 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 93 Review question 3. True or false: Exclusions to the material scope of the GDPR should be interpreted broadly. Module 4: Processing personal data Review question 3. True or false: Exclusions to the material scope of the GDPR should be interpreted broadly. 93 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 94 Review question 4. Which exception to the prohibition on processing special categories of data must be explicit? A. Consent B. Vital interests C. Publicly available data Module 4: Processing personal data Review question 4. Which exception to the prohibition on processing special categories of data must be explicit? A. Consent B. Vital interests C. Publicly available data 94 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 95 Module 5: Data subject rights Learning objectives • Describe data subject rights regarding the processing of their personal data • Recognise controller and processor obligations regarding data subject rights Module 5 learning objectives • Describe data subject rights regarding the processing of their personal data. • Recognise controller and processor obligations regarding data subject rights. 95 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 96 Data subjects’ rights Access • Confirmation of processing and access • Processing information – Purpose – Categories of personal data – Recipients – Retention period – Additional data subject rights – Source of personal data – Automated decision-making • Appropriate safeguards for data transfers • A copy of the personal data Module 5: Data subject rights Session notes (Recitals 59, 63; Article 15): Data subjects shall have the right to: • Confirmation their personal data is being processed and access to it • Processing information • Purpose of the processing • The categories of personal data • Recipients/categories of recipients of the personal data, in particular in third countries/international organisations • Retention period/criteria used to determine period • Information about data subject rights to rectification, to erasure, to restriction, to object and to lodge a complaint with an SA • Any available information about the source of the personal data (when not collected from the data subject) • The existence of automated decision-making and information about: • The logic involved • Significance and envisaged consequences • Information about appropriate safeguards for personal data transferred to a third country/international organisation • A copy of the personal data being processed from the controller • Controller may charge reasonable fee for further copies requested • Commonly used electronic form when the request is made by electronic means (and unless otherwise requested) • Cannot adversely affect the rights and freedoms of others 96 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 97 Data subjects’ rights Rectification • Correction – Objectively incorrect – Subjectively incorrect • Completion Module 5: Data subject rights Session notes Rectification without undue delay (Article 16) • Data subjects shall be able to correct or complete their personal data • Correction of inaccurate personal data • Completion of incomplete data (with consideration for the processing purpose) • Where the data must be saved, the data subject may submit a supplementary statement 97 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 98 Chat Brainstorm Under what circumstances might a data subject want or need personal data with an error to be saved? Module 5: Data subject rights Chat: Brainstorm Under what circumstances might a data subject want or need personal data with an error to be saved? 98 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 99 Data subjects’ rights Limitations • Identification of the requester • Protection of others’ rights and freedoms • Purpose of the request • Manifestly unfounded or abuse of right Module 5: Data subject rights Session notes Limitations to rights of access and rectification • Identification of the requester • With reasonable steps to identify • Protection of others’ rights and freedoms, including data controller (e.g., trade secrets and intellectual property) • Purpose of the request • To check the lawfulness of processing and accuracy of personal data • Request is manifestly unfounded or excessive • Repetitive character 99 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 100 Chat Brainstorm Scenarios that may limit a data subject’s rights to access or rectification Module 5: Data subject rights Chat: Brainstorm Scenarios that may limit a data subject’s rights to access or rectification 100 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 101 Data subjects’ rights Data portability Company A’s data-processing software Interoperability Company B’s data-processing software Module 5: Data subject rights Session notes Data portability (Article 20) • Applies where consent or performance of a contract is used as lawful grounds for processing • Extension of access right • Structured, commonly used and machine-readable format • Interoperability: accessibility through multiple systems (Recital 68) • As much metadata as possible • Does not mean maintaining compatible systems • Transfer to data subject (e.g., direct download), another controller (e.g., application programming interface) or a trusted third party • Data controller transferring the data not responsible for the processing activities of the recipient • Data portability does not trigger erasure 101 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 102 Data subjects’ rights Data portability cumulative conditions 1. Personal data processed automatically on the basis of consent or the performance of a contract 2. Personal data concerning and from the data subject 3. Data portability does not adversely affect the rights and freedoms of others Module 5: Data subject rights Session notes The Article 29 Working Party has provided ‘Guidelines on the Right to Data Portability’, which further defines this data subject right. Data portability cumulative conditions 1. Personal data processed automatically (not paper files) on the basis of consent or the performance of a contract 2. Personal data concerning and from the data subject (including that observed from activities of the user) 3. Data portability does not adversely affect the rights and freedoms of others (e.g., a data set containing personal data relating to other individuals, as well as the individual requesting data portability) 102 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection Erasure 103 Data subject rights Right to be forgotten 1. Cease processing 2. Delete personal information 3. Ensure the information is erased by third parties, including links, copies and replications Module 5: Data subject rights Session notes Right to erasure (‘right to be forgotten’) (Recitals 59, 65-66; Articles 17, 19) • Right to have personal data erased (and no longer processed) • Data no longer necessary for the purpose • Withdrawn consent if processing is based on consent • Objection to processing (if processing is based on legitimate interests) • Data collected in relation to information society services from a child on the basis of consent • Unlawful processing • Compliance with EU and member state law • Right to have public data deleted • Google Spain v. AEPD and Mario Costeja González • Data made public by the controller (e.g., posting a photo of an individual on a social media profile with a public setting) • Reasonable steps by the controller to inform other controllers that the data subject has requested erasure of links to, copies and replications of the data (Recital 66) • Burden on the controller to remove the data • Exceptions ... (see Article 17) 103 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 104 Chat Your outlook Regarding the right to be forgotten, what difficulties might controllers have with third-party follow-up? Module 5: Data subject rights Chat: Your outlook Regarding the right to be forgotten, what difficulties might controllers have with third-party follow-up? 104 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 105 Data subjects’ rights Restriction of processing • Definition • Circumstances • Reasons for restriction • Further processing • Lifting the restriction Module 5: Data subject rights Session notes Restriction of processing (Article 18) • Definition: Personal data is stored without being further processed • Circumstances: When storing data • Is legally required • Ensures protections of another’s rights • Is in the public interest • Reasons data subjects may request restriction • Accuracy is contested and controller needs time to verify • Processing is unlawful, but data subject prefers restriction to erasure • Controller no longer needs data, but data subject needs it for establishment, exercise or defence of legal claims • Data subject objects to processing, pending controller’s verification of legitimate grounds • Once restricted, data may only be further processed • With new consent from the data subject • To exercise or defend legal claims • To protect the rights of another person • For important public interest reasons • Controller must inform data subject before lifting the restriction 105 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 106 Data subjects’ rights Right to object to processing Public interest or legitimate interests Module 5: Data subject rights Session notes Right to object to processing (Article 21) • Three sub-categories • Public interest or legitimate interest • Not an absolute right • Data subject’s right to object at any time to processing based on the public interest or the controller’s legitimate interest • Controller burden to demonstrate compelling, legitimate interest that overrides individual’s interests, rights and freedoms 106 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 107 Data subjects’ rights Right to object to processing Public interest or legitimate interests Research or statistical purposes Module 5: Data subject rights Session notes Right to object to processing (Article 21) • Not an absolute right • Three sub-categories • Research or statistical purposes • Data subject’s right to object at any time to processing for scientific/historical research or statistical purposes • On grounds relating to individual’s particular situation • Overridden if processing is necessary for performance of a task carried out in the public interest 107 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 108 Data subjects’ rights Right to object to processing Public interest or legitimate interests Research or statistical purposes Direct marketing Module 5: Data subject rights Session notes Right to object to processing (Article 21) • Not an absolute right • Three sub-categories • Direct marketing • Data subject right to object at any time to processing for direct marketing purposes • Absolute • Must cease processing • Includes profiling 108 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 109 • 109 ‘The ‘Thedata datasubject subjectshall shallhave havethe theright right not notto tobe besubject subjectto toaadecision decisionbased based solely solelyon onautomated automatedprocessing, processing, including includingprofiling, profiling,which whichproduces produces legal legaleffects effectsconcerning concerninghim himor orher heror or similarly similarlysignificantly significantlyaffects affectshim himor or her’ her’(Article (Article22). 22). Module 5: Data subject rights Session notes (Recital 71; Article 22) Prohibition on: • A decision based solely on automated processing • And produces legal or otherwise similarly significant effects • “Solely automated process” and which decisions have “significant effects on individuals” needs guidance from regulator • Strictest for decisions involving children Exemptions (all requiring appropriate safeguards): • Processing necessary to enter into or perform a contract (e.g., evaluating credit risk or insurance risk) • Authorisation of member state law • Data subject’s explicit consent Automated decision-making not permitted on special categories of personal data, unless: • Explicit consent • Or substantial public interest based on union or member state law • Suitable measures must be put in place Article 29 Working Party good practice recommendations: • Provide ‘meaningful information about the logic involved’ • If relying on consent, consult the WP29 guidelines on consent • Consider implementing a mechanism for data subjects to check profiles and allow them to amend inaccuracies • Explicitly bring to the attention of the data subject the right to object, clearly and separately from other information • Use appropriate safeguards (e.g., regular quality assurance checks to systems to make sure individuals are treated fairly and not discriminated against); additional safeguards in guidance 109 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 110 Data subjects’ rights Profiling • Automated processing • Of personal data • To evaluate, analyse and predict • Personal aspects • Relating to a natural person Module 5: Data subject rights Session notes Profiling (Articles 4[4], 22) • Automated processing • Of personal data • For the purpose of evaluating, analysing and predicting • Personal aspects • Relating to a natural person Examples of behavioural profiling/targeting: • Adware • Software installed on a user’s computer • Often bundled with freeware • Monitors online behaviour to target advertising to the user • Web cookie • Piece of text that web server can store on user’s computer hard disk • Later retrieves to get information about user • Web beacon • Passes information from user’s computer to third-party website • Delivered through browser or email • Used to build profiles of user behaviour • Commonly used for online ad impression count, file download monitoring, ad campaign performance and monitoring email reading • Digital fingerprint • Can identify end-user device based on information revealed as part of web page request 110 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 111 Chat Your outlook Under what circumstances may profiling be considered an invasion of privacy? Module 5: Data subject rights Chat: Your outlook Under what circumstances may profiling be considered an invasion of privacy? 111 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection A. Right to restriction of processing B. Right of access C. Right to erasure D. Right to object 112 Review question 1. Which of the following data subjects’ rights provides data subjects with entitlements to certain information, obtainable from the controller upon request? Module 5: Data subject rights Review question NOTE: Review questions are intended to help reinforce key topics covered in the module. They are not meant to represent actual certification exam questions. 1. Which of the following data subjects’ rights provides data subjects with entitlements to certain information, obtainable from the controller upon request? A. Right to restriction of processing B. Right of access C. Right to erasure D. Right to object 112 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 113 Review question 2. The right of access grants data subjects' access to which of the following types of information? Select all that apply. A. The purpose of the processing B. Retention periods C. The means of data storage D. Recipients of the personal data Module 5: Data subject rights Review question 2. The right of access grants data subjects’ access to which of the following types of information? Select all that apply. A. The purpose of the processing B. Retention periods C. The means of data storage D. Recipients of the personal data 113 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 114 Review question 3. Which is not listed by the GDPR as a method for restricting processing of personal data? A. Noting the restriction in the system B. Moving the data to a separate system C. Temporarily removing published data from a website D. Disabling the data management system Module 5: Data subject rights Review question 3. Which is not listed by the GDPR as a method for restricting processing of personal data? A. Noting the restriction in the system B. Moving the data to a separate system C. Temporarily removing published data from a website D. Disabling the data management system 114 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 115 Review question 4. Under which categories may a data subject object to processing personal data? Select all that apply. A. Establishment, exercise or defence of legal claims B. Direct marketing C. Public interest or legitimate interest D. Research or statistical purposes Module 5: Data subject rights Review question 4. Under which categories may a data subject object to processing personal data? Select all that apply. A. Establishment, exercise or defence of legal claims B. Direct marketing C. Public interest or legitimate interest D. Research or statistical purposes 115 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 116 5. What is profiling? Review question A. The processing of personal data gathered from social media sites B. A form of automated decision-making C. The act of enabling cookies D. All the above Module 5: Data subject rights Review question 5. What is profiling? A. The processing of personal data gathered from social media sites B. A form of automated decision-making C. The act of enabling cookies D. All the above 116 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 117 Module 6: Information provision obligations Learning objectives • Define transparency as it relates to the controller’s communications with the data subject • List the information that should be provided by the controller to the data subject when personal data is collected both directly and indirectly Module 6 learning objectives • Define transparency as it relates to the controller’s communications with the data subject. • List the information that should be provided by the controller to the data subject when personal data is collected both directly and indirectly. 117 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 118 Transparency An intelligible and easily accessible form Module 6: Information provision obligations Session notes Transparency • Article 29 Working Party ‘Guidelines on Transparency’: http://ec.europa.eu/newsroom/article29/itemdetail.cfm?item_id=622227 • ‘Transparency is an overarching obligation under the GDPR applying to three central areas: (1) the provision of information to data subjects related to fair processing; (2) how data controllers communicate with data subjects in relation to their rights under the GDPR; and (3) how data controllers facilitate the exercise by data subjects of their rights’ • Data controllers are to communicate with individuals using … • An intelligible and easily accessible form • Article 12(1): ‘The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally’. • Free of charge unless request is unfounded or excessive 118 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection An intelligible and easily accessible form 119 Transparency Clear and plain language Module 6: Information provision obligations Session notes Transparency • Data controllers are to provide notice using … • Clear and plain language • Adapted to the data subject • Especially for children 119 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection An intelligible and easily accessible form 120 Transparency Clear and plain language Concise Module 6: Information provision obligations Session notes Transparency • Data controllers are to provide notice using … • Concise communication 120 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 121 Chat Your outlook What are the challenges around making information accessible, clear and concise? Module 6: Information provision obligations Chat: Your outlook What are the challenges around making information accessible, clear and concise? 121 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 122 Privacy notice A statement made to a data subject that describes how the organisation collects, uses, retains and discloses personal data Module 6: Information provision obligations Session notes Privacy notice • A statement made to a data subject that describes how the organisation collects, uses, retains and discloses personal data • Related terms: privacy statement, fair processing statement, privacy policy • Large volume of required information = creative methods for communication 122 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 123 Chat Share your experience What strategies does your organisation use to make its privacy notices easy to navigate and concise? Module 6: Information provision obligations Chat: Share your experience What strategies does your organisation use to make its privacy notices easy to navigate and concise? 123 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 124 Transparency strategies Layered privacy notice ‘Just-in-time’ notice Standardised icons Module 6: Information provision obligations Session notes Transparency strategies • For making privacy notices easier to navigate and more concise • Layered privacy notice • Multiple layers of increasingly detailed notices • The Article 29 Working Party endorsement of up to three layers (so long as the sum total meets legal requirements) • Top layer: short notice—just key elements with links • Second and third layers • Condensed notice followed by a full notice • Or full notice followed by FAQs and additional links • ‘Just-in-time’ notice • Delivered at or right before a user accepts a service or product • Or when previously collected data is to be used for a new purpose • Helps to facilitate meaningful choice • Standardised icons (Article 12[7]) • Visualisation • Challenge: to design readable icons • European Commission 124 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 125 When to notify Controllers are required to provide data subjects with information about processing prior to collection • 125 Module 6: Information provision obligations Session notes When to notify • Controllers required to provide data subjects with information about processing prior to collection • Not always possible if obtained from indirect source (e.g., public records) • Prior to further processing • Article 13: Notice not required if data subject already has information 125 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 126 Chat Let’s talk about… What information must be provided to data subjects for direct collection vs. indirect collection of personal data? Module 6: Information provision obligations Chat: Let’s talk about… What information must be provided to data subjects for direct collection vs. indirect collection of personal data? Direct collection • Identity and contact details of the controller and data protection officer • Purpose and legal basis of processing • Recipients of the personal data • Intention to transfer data to a third country or international organisation • Legal basis for intended international transfers, including the fact that either the receiving country has an adequacy decision from the Commission or other appropriate safeguards are in place, as set out in Articles 46, 47 and 49; and how to obtain a copy of these safeguards • Legitimate interests of the controller if the controller uses its legitimate interests as the legal basis for the collection • Storage period or the criteria used to determine the length of storage • Data subjects’ rights to withdraw consent at any time, to request access, to rectification or restriction of processing, and to lodge a complaint with a supervisory authority; plus, the fact that withdrawing consent does not affect the lawfulness of processing that has already been completed if the controller uses consent as its legal basis for collection • Whether the provision of the personal data is a statutory or contractual requirement, as well as whether the data subject is obliged to provide the data, and consequences of failing to do so • Information about the use of automated decision-making Indirect collection within a reasonable period after obtaining the data (no more than one month) or upon first communication with the data subject when personal data is used to communicate • See above requirements • The categories of personal data concerned • Plus the source of the data 126 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 127 Exceptions Subject to strict criteria to ensure the rights and freedoms of the data subject Module 6: Information provision obligations Session notes Exceptions to information provision requirement for indirect collection • Data subject already has the information • Subject to strict criteria to ensure the rights and freedoms of the data subject • If impossible or requires disproportionate effort • Example from Article 29 Working Party’s ‘Guidelines on transparency’: ‘A large metropolitan hospital requires all patients for day procedures, longer-term admissions and appointments to fill in a Patient Information Form which seeks the details of two next-of-kin (data subjects). Given the very large volume of patients passing through the hospital on a daily basis, it would involve disproportionate effort on the part of the hospital to provide all persons who have been listed as next-of-kin on forms filled in by patients each day with the information required under Article 14.’ • If it would render impossible or seriously impair the purpose of the data processing • If national or EU laws require obtaining or disclosing data and provide appropriate measures to protect individuals’ interests • If national or EU laws require that the personal data remain secret 127 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 128 Enforcement action Poland's DPA issues its first GDPR fine (2019) IAPP, “Poland's DPA issues its first GDPR fine,” Daily Dashboard, 1 April 2019, https://iapp.org/news/a/polands-dpa-issues-first-gdpr-fine. Session notes Poland's DPA issues its first GDPR fine (2019) Poland’s data protection authority has issued its first fine under the GDPR, TechCrunch reports. The Personal Data Protection Office fined digital marketing company Bisnode 220,000 euros for its failure to fulfil its data subject rights obligations under Article 14 of the GDPR. The DPA gave Bisnode three months to reach out to 6 million people in order to meet its Article 14 information notification requirements. ‘The decision is seen as radical, as it interprets Article 14 literally’, Oxford University Center for Technology and Global Affairs Research Associate Lukasz Olejnik said. ‘UODO has taken a very principled position, arguing that the company business model is fully based on processing scraped data, and that the company has taken a decision willingly’. 128 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 129 Review question 1. True or false: A controller may charge an administrative fee to data subjects if they request that the information provision be in an oral format. Module 6: Information provision obligations Review question NOTE: Review questions are intended to help reinforce key topics covered in the module. They are not meant to represent actual certification exam questions. 1. True or false: A controller may charge an administrative fee to data subjects if they request that the information provision be in an oral format. 129 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 130 Review question 2. True or false: The transparency principle states that detail is more important than conciseness in a privacy notice. Module 6: Information provision obligations Review question 2. True or false: The transparency principle states that detail is more important than conciseness in a privacy notice. 130 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 131 Review question 3. What additional information must be provided to data subjects when the controller’s necessity is being used as the legal basis for processing? A. Source of the data B. Controller’s legitimate interest C. Legal basis for transferring data internationally D. Recipients of the data Module 6: Information provision obligations Review question 3. What additional information must be provided to data subjects when the controller’s necessity is being used as the legal basis for processing? A. Source of the data B. Controller’s legitimate interest C. Legal basis for transferring data internationally D. Recipients of the data 131 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 132 Review question 4. What information must be provided to data subjects when the personal data that will be processed was collected indirectly? A. Source of the data B. Storage period C. Controller’s legitimate interest D. Statutory or contractual requirement Module 6: Information provision obligations Review question 4. What information must be provided to data subjects when the personal data that will be processed was collected indirectly? A. Source of the data B. Storage period C. Controller’s legitimate interest D. Statutory or contractual requirement 132 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 133 Review question 5. What information must be provided to data subjects when their personal data will be shared with an outside organisation to provide them with a promised service? A. Intention to transfer data internationally B. Use of automated decision-making C. Source of the data D. Recipients of the data Module 6: Information provision obligations Review question 5. What information must be provided to data subjects when their personal data will be shared with an outside organisation to provide them with a promised service? A. Intention to transfer data internationally B. Use of automated decision-making C. Source of the data D. Recipients of the data 133 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 134 Review question 6. What information must be provided to data subjects in all circumstances? Select all that apply. A. Purpose of processing B. Data subjects’ rights C. Identity of the controller D. Controller’s legitimate interest Module 6: Information provision obligations Review question 6. What information must be provided to data subjects in all circumstances? Select all that apply. A. Purpose of processing B. Data subjects’ rights C. Identity of the controller D. Controller’s legitimate interest 134 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 135 Review question 7. True or false: Information provision is required, even if it necessitates disproportionate effort. Module 6: Information provision obligations Review question 7. True or false: Information provision is required, even if it necessitates disproportionate effort. 135 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 136 Learning objectives Module 7: International data transfers • Describe the options and obligations for international data transfers • List the European Commission’s adequacy decisions, appropriate safeguards, derogations and restrictions • Summarise the current state of U.S. adequacy • Recognise controller and processor obligations and restrictions regarding international data transfers Module 7 learning objectives • Describe the options and obligations for international data transfers. • List the European Commission’s adequacy decisions, appropriate safeguards, derogations and restrictions. • Summarise the current status of U.S. adequacy. • Recognise controller and processor obligations and restrictions regarding international data transfers. 136 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 137 International data transfers The landscape 1. Adequacy decisions 2. Appropriate safeguards 3. Derogations Module 7: International data transfers Session notes First, ensure legal basis to process personal data (discussed earlier in Module 4). The landscape of cross-border data transfer options (discussed in more depth on following slides) should be considered in order, one through three: 1. Adequacy decisions 2. Appropriate safeguards 3. Derogations Controller now obligated to inform data subject about data transfers • Has always been good practice • If controller plans to transfer personal data internationally, must tell data subject of existence or absence of adequacy decision • Regardless of legal basis for transfer • Controller must inform data subject of intent to transfer personal data to another country or multinational organisation • Must describe safeguards being used to protect the data 137 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 138 International data transfers Adequacy • What is it? • Who determines it? • What is the criteria? Module 7: International data transfers Session notes Adequacy (Article 45) • What is it? • • Who determines it? • • Adequate level of data protection for a country, territory, sector (e.g., health care or financial services) and international organisation The European Commission (through implementing act and examination procedure) • Mechanism for reviewing every four years • Ability to repeal, amend and suspend • Already existing decisions (from Directive) in force until amended, replaced and appealed What is the criteria? • Respect of rule of law • Access to justice • International human rights standards • General and sectoral laws and case law • Effective and enforceable rights for individuals, including effective administrative and judicial redress • Data protection rules, professional rules and security measures—including specific rules for onward transfers • Other international commitments or obligations • With adequacy decision, no additional authorisation for transferring data required • Countries the European Commission has deemed adequate for international data transfers • Andorra, Argentina, Canada (For data protected by PIPEDA, applicable to commercial organisations but not all forms of personal data), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea (South Korea), Switzerland, United Kingdom (GDPR and the LED), Uruguay 138 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection EU-U.S. data transfers 139 International data transfers Privacy Shield Module 7: International data transfers Session notes Case summary Schrems v. Data Protection Commissioner Mr. Schrems was a Facebook user in Austria. After revelations of NSA surveillance in the U.S. allegedly involving Facebook’s cooperation, Schrems complained to the Irish SA that Facebook Ireland, the company’s European subsidiary, was improperly transferring his data to the U.S. where it could be accessed by the NSA. The data transfers from Facebook Ireland to the U.S. were allowed under the Safe Harbor adequacy decision. However, because the European Commission had not assessed U.S. limits on government access to data for national security purposes in its Safe Harbor adequacy determination, the CJEU struck down the adequacy determination as inconsistent with the European right to privacy. A subsequent ruling by the CJEU on July 16, 2020 invalidated the European Commission’s adequacy determination for the EU-U.S. Privacy Shield, citing that: • The U.S. surveillance programs are not limited to what is strictly necessary and proportional as required by Article 52 of the EU Charter on Fundamental Rights • EU data subjects lack actionable judicial redress and don’t have the right to an effective remedy in the U.S., as required by Article 47 of the EU Charter • The CJEU decision also included findings regarding the need for case-by-case assessments of the sufficiency of foreign protections when using standard contractual clauses, discussed in more detail later. In March of 2022, the EU and U.S. announced they have reached an agreement on a new Trans-Atlantic Data Privacy Framework. Currently, this agreement is in principle only, but aims to reestablish a legal mechanism for transfers of EU personal data to the U.S. 139 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 140 Chat Let’s talk about… How do the Schrems judgments raise the threshold in general for adequacy assessments? Module 7: International data transfers Chat: Let’s talk about… How do the Schrems judgments raise the threshold in general for adequacy assessments? Resources: https://iapp.org/news/a/cjeu-invalidates-eu-us-privacy-shield-sccs-remain-valid/ https://iapp.org/news/a/the-schrems-ii-decision-eu-us-data-transfers-in-question/ https://iapp.org/resources/article/guidance-notes-for-responding-to-schrems-ii/ 140 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 141 Chat Discuss How are personal data transfers from the EU to the U.K. and the U.K. to the EU dealt with since Brexit? Module 7: International data transfers Session notes 2016: U.K. voted by narrow margin to leave EU In January 2020, the European Parliament voted to end the U.K.'s membership in the EU. On 24 December 2020, days before the Brexit transition period came to an end, the U.K. and EU reached a comprehensive agreement known as the EU/U.K. Trade and Cooperation Agreement. While the focus of the agreement is on trade and the movement of goods between the U.K. and European Economic Area, the agreement has implications for the privacy practices of controllers processing U.K. and/or EEA personal data. Most significantly, the agreement foresees that during a period of maximum four months, which can be extended by another two months, EEA personal data can continue to flow freely to the U.K., notwithstanding the fact that, so far, the U.K. has not secured adequacy treatment under the EU GDPR. Conferring an adequacy decision on the U.K. will require a proposal from the European Commission, an opinion from the European Data Protection Board, approval by EU member state representatives and an adopting decision by the commissioners. The U.K. has already indicated that it considers the EU data protection regime adequate so that personal data can continue to flow freely from the U.K. to the EU. The U.K. Data Protection Act was enacted 23 May 2018. The law replaces the Data Protection Act 1998 and sets new standards for data protection in accordance with the GDPR. The U.K. has transposed GDPR through the Data Protection Act 2018, which continues to be in force after Brexit. Consequently, the principles and rules of EU data protection law continue to apply in the U.K. Organisations subject to both the U.K. Data Protection Act and EU GDPR may also need to appoint representatives in each jurisdiction if they qualify as controllers located in a third country. United Kingdom: The U.K. formally left the European Union on 1 January 2020. The Trade and Cooperation Agreement signed between the EU and U.K. on 24 December 2020 allowed the transfer of personal data from the EU to the U.K. to continue for up to six-months. The European Commission has now declared the U.K. adequate under the GDPR and Law Enforcement Directive (LED). Chat: Discuss How are personal data transfers from the EU to the U.K. and the U.K. to the EU dealt with since Brexit? Resources: https://ec.europa.eu/commission/presscorner/detail/ro/ip_21_3183 https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulationgdpr/international-data-transfer-agreement-and-guidance/ 141 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 142 International data transfers Appropriate safeguards • Standard data protection clauses • Approved codes of conduct and certification mechanisms • Ad hoc contractual clauses • International agreements Module 7: International data transfers Session notes Appropriate safeguards (Article 46) • Approved codes of conduct and certification mechanisms (discussed on following slides) • Binding corporate rules (discussed later in module) • Standard contractual clauses • Also known as model clauses • Adopted by the Commission or a national SA (and then approved by the Commission) • For a company in EEA that wants to send data to company outside EEA • Different types for data controllers and processors • Standard form that is non-negotiable • Most commonly used tool for appropriate safeguards • In the wake of “Schrems II,” the legality of SCCs was upheld. However, companies must conduct case-bycase assessments on the laws in each recipient country to ensure essential equivalence to EU law for personal data being transferred under SCCs or BCRs. If the laws are not essentially equivalent, companies must provide additional safeguards or suspend transfers. Such additional safeguards can involve additional technical controls and contractual obligations on how to manage onward transfers and compelled disclosures to authorities. The process of assessing data protection equivalence is commonly referred to as conducting a “Transfer Impact Assessment (TIA).” Note that this is NOT terminology used by the EDPB or European Commission, but rather an industry-coined term. To facilitate this assessment, many organisations are relying on questionnaires and adopting a combination of technical, organisational and contractual safeguards. 142 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 143 International data transfers Appropriate safeguards (continued) • Standard data protection clauses • Approved codes of conduct and certification mechanisms • Ad hoc contractual clauses • International agreements Module 7: International data transfers Session notes Appropriate safeguards (Article 46) continued • Ad hoc contractual clauses • Must have SA authorisation • Allow for individual tailoring to company needs • Provisions for such clauses may differ at member state level • Reliance on international agreements • Two countries may enter into an agreement between themselves to provide for protection of personal data • Example: Passenger name records (PNRs) – see https://www.dhs.gov/publication/passenger-namerecords-agreements 143 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 144 International data transfers Appropriate safeguards: codes of conduct • Created/revised by associations and other bodies representing controllers or processors for: – GDPR application – Helping controllers and processors demonstrate compliance – Creating market efficiencies – Facilitating international data transfers • Binding and enforceable Module 7: International data transfers Session notes Codes of conduct: compliance-signalling tools for controllers and processors (Articles 40, 41). • Created/revised by associations/other bodies representing controllers or processors for: • GDPR application (see list of topics in Article 40) • Helping controllers and processors demonstrate compliance • Risks associated with data processing and security obligations • Creating market efficiencies (e.g., saving a controller from having to conduct its own review of a potential data processor’s systems and monitoring its ongoing compliance). • Helps to streamline contracting and reduces time needed for internal legal review. • Facilitating international data transfers • Non-EU controllers and processors must also make ‘binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards, including as regards data subjects’ rights’ • Binding and enforceable • Approved codes of conduct must enable ‘the mandatory monitoring of compliance with its provisions’ by accredited monitoring bodies • When a controller or processor infringes the code, an accredited body can suspend or exclude the infringing party from the code, notifying the supervisory authority of the proceeding • Adherence with a code is a factor to be considered in assessing an administrative fine EDPB Guidelines 04/2021 includes a checklist of elements to be included in a code of conduct intended for transfers Resource Guidelines 04/2021 on Codes of Conduct as tools for transfers, Adopted on 22 February 2022 https://edpb.europa.eu/system/files/202203/edpb_guidelines_codes_conduct_transfers_after_public_consultation_en_1.pdf 144 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 145 International data transfers Appropriate safeguards: certification mechanisms • May be issued by accredited certification bodies, competent supervisory authorities and the EDPB for: – Assisting controllers and processors in same situations as through codes of conduct – Additionally, demonstrating compliance with Article 25— data protection by design and by default • Good for no more than three years (may be renewed) • Consequences for noncompliance Module 7: International data transfers Session notes Certifications: recognised by the GDPR (along with seals and marks) as acceptable mechanisms for demonstrating compliance (Articles 42, 43) • ‘Shall be voluntary and available via a process that is transparent’ • Does not serve to ‘reduce the responsibility of the controller or the processor for compliance’ • May be issued by accredited certification bodies, competent supervisory authorities and the EDPB for: • Assisting controllers and processors in same situations as through codes of conduct • Additionally, demonstrating compliance with Article 25—data protection by design and by default • Good for no more than three years (may be renewed if conditions and requirements are still met) • Consequences for non-compliance • Accredited certification body responsible for withdrawing certification in the event of noncompliance • Must inform the supervisory authority and provide reasons • Certification is a factor to be considered in assessing an administrative fine 145 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 146 International data transfers Appropriate safeguards: binding corporate rules Who? What? How? Why? Companies engaged in joint economic activity Internal and legally binding rules Standard applications Flexibility Approval by supervisory authorities Additional references: https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=614109 and https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=614110 Session notes Appropriate safeguards: binding corporate rules (BCRs) • Who • Companies engaged in joint economic activity • Corporate groups and groups of enterprises • Controllers and processors • What? • Internal and legally binding rules • Expressly conferred enforceable rights of data subjects • How? • Former Article 29 Working Party: published separate recommendations for BCR applications of controllers and processors, including standard application forms • Approval by supervisory authorities • Article 47: Detailed conditions for transfers • Why? • Flexibility • Low administrative burden post implementation • Different versions of BCRs for controllers and processors 146 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 147 International data transfers Derogations • Consent • Performance of contract • Public interest • Establishment, exercise or defence of legal claims • Vital interests • Transfer from register • Legitimate interests Module 7: International data transfers Session notes Derogations (Article 49) • An exemption from prohibition on transferring personal data outside EEA • When a country outside EEA does not have adequacy decision and appropriate safeguards are not in place • Last resort for limited circumstances/specific conditions; strict criteria to be narrowly interpreted • Explicit consent from data subject • Data subject must understand possible risks to transferring their personal data • Necessary for the performance of a contract and/or conclusion of a contract with the data subject • Must be no way to fulfil the contract unless data is transferred • Public interest • Personal data may be transferred outside EEA for reasons of public interest recognised by EU or member state law only • Establishment, exercise or defence of legal claims • Designed to cover international litigation scenarios • Protection of vital interests of the data subject or other persons • Theme that runs through all forms of personal data processing • Designed for emergency situations (e.g., if individual must be provided with emergency medical care) • Transfer from a register of public information • Must comply with any restriction on access to or use of information • Must honour conditions imposed by the organisation that compiled the register • Legitimate interests of controller • Allows international data transfer in wider set of circumstances • Transfer must be non-repetitive and concern limited number of individuals • Narrow provisions: Protection of individuals’ rights, assessment and documentation, suitable safeguards, notification to data subject and SA of transfer Resource: Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679,” Adopted 25 May 2018 147 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 148 International data transfers Restrictions • Foreign law enforcement requests • Important reasons of public interest Module 7: International data transfers Session notes Restrictions • Foreign law enforcement requests (mutual assistance treaty) • • ‘Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State’ (Article 48) Important reasons of public interest • ‘In the absence of an adequacy decision, Union or Member State law may, for important reasons of public interest, expressly set limits to the transfer of specific categories of personal data to a third country or an international organisation. Member States shall notify such provisions to the Commission’ (Article 49[5]) 148 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 149 Global data flows Recommended steps Step 1: Know your transfers Step 2: Identify the transfer tool Step 3: Assess sufficiency of non-EEA protections Step 4: Identify and adopt supplementary measures Step 5: Take formal procedural steps Step 6: Re-evaluate at appropriate intervals Module 7: International data transfers Session notes In June of 2021, the European Data Protection Board (EDPB) published step-by-step recommendations for data transfers in the wake of “Schrems II.” Steps 1: Know your transfers Know, document and map the personal data being transferred. You must ensure that it is given essentially equivalent level of protection and verify that the data being transferred is adequate, relevant and limited to what is necessary in relation to purposes for which it is processed. Step 2: Identify your transfer mechanism Identify the transfer tools you are relying on, listed under Chapter V GDPR. If the country, region or sector is deemed adequate, no further steps need to be taken. Otherwise, rely on a transfer tool listed under Articles 46 GDPR. Re: Derogations (provided for in Article 49 GDPR) should be the exception not the rule. Step 3: Assess the sufficiency of non-EEA protections Is there a law or practice of the third country that may impinge on the effectiveness of appropriate safeguards of the transfer tool? This is where the European Essential Guarantees recommendations become relevant. The EDPB summarizes essential guarantees as: • Processing based on clear, precise and accessible rules • Necessity and proportionality need to be demonstrated with regard to legitimate objective pursued • An independent oversight mechanism should exist • Effective remedies need to be made available to the individual 149 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 150 Global data flows [cont.] Recommended steps Step 1: Know your transfers Step 2: Verify the transfer tool Step 3: Assess sufficiency of non-EEA protections Step 4: Identify and adopt supplementary measures Step 5: Take formal procedural steps Step 6: Re-evaluate at appropriate intervals Module 7: International data transfers Session notes Step 4: Identify and adopt supplementary measures • Identify and adopt supplementary measures that are necessary to bring the level of protection of the data transferred up to EU standard of essential equivalence • This step is necessary when step 3 reveals that the third-country legislation impinges on the effectiveness of the Article 46 transfer tool. The EDPB provides a list of measures in Annex 2: • EDPB outlines additional safeguards and scenarios • Technical safeguards include guidance on encryption, pseudonymizations • Contractual safeguards - EDPB covers: • Transparency • Enhanced audits • Notification • Challenge government access to data in court • Contractual agreements to enable data subject rights • Organisational measures: internal policies with groups of enterprises, training staff, transparency policies, etc. • If no supplementary measure is suitable, you must avoid, suspend or terminate the transfer Step 5: Take any formal procedural steps the adoption of the supplementary measure may require • Document approach and seek authorization where required by the chosen transfer mechanism Step 6: Re-evaluate the level of protection afforded to the transferred data and monitor any developments that may affect it at appropriate intervals . Resource: “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data,” Adopted 18 June 2021 150 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 151 Review question 1. Arrange the options for international data transfers in the order that they should be considered. A. Appropriate safeguards B. Adequacy decisions C. Derogations Module 7: International data transfers Review question NOTE: Review questions are intended to help reinforce key topics covered in the module. They are not meant to represent actual certification exam questions. 1. Arrange the options for international data transfers in the order that they should be considered. A. Appropriate safeguards B. Adequacy decisions C. Derogations 151 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 152 Review question 2. Which of the following options for international data transfers is a determination by the European Commission that a third country has achieved an EU-level of personal data protection? A. Appropriate safeguard B. Derogation C. Adequacy decision Module 7: International data transfers Review question 2. Which of the following options for international data transfers is a determination by the European Commission that a third country has achieved an EU-level of personal data protection? A. Appropriate safeguard B. Derogation C. Adequacy decision 152 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 153 Review question 3. Which of the following countries have been deemed adequate by the European Commission? Select all that apply. A. Argentina B. New Zealand C. Switzerland D. Uruguay Module 7: International data transfers Review question 3. Which of the following countries have been deemed adequate by the European Commission? Select all that apply. A. Argentina B. New Zealand C. Switzerland D. Uruguay 153 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 154 Review question 4. Which of the following are appropriate safeguards for international data transfers? Select all that apply. A. Binding corporate rules B. Standard contractual clauses C. Public interest D. Approved codes of conduct or certification mechanisms Module 7: International data transfers Review question 4. Which of the following are appropriate safeguards for international data transfers? Select all that apply. A. Binding corporate rules B. Standard contractual clauses C. Public interest D. Approved codes of conduct or certification mechanisms 154 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 155 Review question 5. Which appropriate safeguards allow large multinational companies to adopt a policy suite with rules for handling personal data? A. Ad hoc contractual clauses B. Reliance on international agreements C. Standard contractual clauses D. Binding corporate rules Module 7: International data transfers Review question 5. Which appropriate safeguards allow large multinational companies to adopt a policy suite with rules for handling personal data? A. Ad hoc contractual clauses B. Reliance on international agreements C. Standard contractual clauses D. Binding corporate rules 155 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 156 Review question 6. True or false: Criteria for derogations are strict and should be interpreted narrowly. Module 7: International data transfers Review question 6. True or false: Criteria for derogations are strict and should be interpreted narrowly. 156 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection Module 8: Compliance considerations 157 Learning objectives • Discuss the legal bases and data protection considerations for employers processing employees’ personal data • Determine applicability of EU data protection law and compliance requirements for surveillance, particularly communications data, CCTV, biometric data and location data • Determine applicability of EU data protection law and compliance requirements for direct marketing, particularly online behavioural advertising • Determine applicability of EU data protection law and compliance requirements for internet technology and communications, particularly cloud computing, web cookies, search engines, artificial intelligence and social networking services Module 8 learning objectives • Discuss the legal bases and data protection considerations for employers processing employees’ personal data. • Determine applicability of EU data protection law and compliance requirements for surveillance, particularly communications data, CCTV, biometric data and location data. • Determine applicability of EU data protection law and compliance requirements for direct marketing, particularly online behavioural advertising. • Determine applicability of EU data protection law and compliance requirements for internet technology and communications, particularly cloud computing, web cookies, search engines, artificial intelligence and social networking services. 157 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 158 Employer compliance Processing employee personal data Surveillance Direct marketing • EU data protection law Internet technology and communications • Local employment law • Local data protection law • Trade unions and works councils Module 8: Compliance considerations Session notes The mix of EU data protection law with local employment law can make compliance in the context of employment complicated. • Under Article 88 of the GDPR, member states may by law or collective agreements provide for more specific rules around processing employees’ personal data; these rules must include suitable and specific measures to safeguard the data subject’s: • Human dignity • Legitimate interests • Fundamental rights • with particular regard for: • Transparency of processing • Transfer of personal data within a group of undertakings or a group of enterprises engaged in a joint economic activity • Monitoring systems • Local employment law varies considerably across the EU • Additionally, an employer may be obligated to communicate with a trade union or works council • In certain jurisdictions, works councils have considerable power over the processing of employees' personal data • Compliance may require notifying, consulting with and seeking approval from works councils 158 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 159 Processing employee personal data Employer compliance Surveillance Legal basis under the GDPR Direct marketing • Fulfilment of an employee contract Internet technology and communications • Legal obligation • Legitimate interests of the employer • Consent? Module 8: Compliance considerations Session notes Under the GDPR, first there must be a lawful basis for collecting and processing personal data. As introduced in Module 4, the legal bases are the grounds employers may rely on to process employee personal data. • Fulfilment of an employment contract: Collecting and using bank account information to process salaries • Legal obligation: Sharing salary information with tax authorities • Must be an obligation under EU or member state law • Legitimate interests of the employer: Migrating employee information from one data management system to another • Cannot be adverse to employees’ rights and freedoms • Cannot be used as grounds for processing special categories of data • Cannot be relied on by public authorities • Consent? • Difficult to prove because of the unequal distribution of power between the employer and employee • Additionally, the processing of employee data may be unlawful or unfair under local law, even if the employee has consented • Yet, under some local labour laws, employers are obligated to obtain consent from employees to process their personal data 159 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection Surveillance Direct marketing Internet technology and communications 160 Processing employee personal data Processing sensitive employee data • Establish, exercise or defend legal claims • Carry out obligations and exercise specific rights under employment, social security and social protection law Module 8: Compliance considerations Session notes Where sensitive personal data on employees is collected and processed, employers must comply with one of the exceptions specified in Article 9 of the GDPR. • Consent • Not likely legal grounds for processing sensitive employee data • Establish, exercise or defend legal claims • May be necessary, such as an employee’s claim of unfair dismissal • Carry out obligations and exercise specific rights under employment, social security and social protection law • Where authorised by EU or member state law or collective agreement • In a number of jurisdictions, employment and labour laws restrict the extent to which sensitive employee data can be processed • Local data protection authorities may issue authorisations for specific processing activities 160 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 161 Processing employee personal data Storage of personnel records Archive Surveillance Direct marketing Internet technology and communications Background check Application Performance review Geolocation data Exit interview Health and safety check Employment lifecycle Module 8: Compliance considerations Session notes Employers process personal data throughout the employment lifecycle for broad reasons; however, records that contain personal data should not be kept longer than necessary. From the moment an individual applies for a position, the prospective employer begins collecting personal data. After employment has been terminated, an organisation’s legitimate reason to retain an individual’s data diminishes. Local laws may affect obligations, potentially requiring the employer to retain employee data. • For example, some health and safety laws require records relating to health and safety checks on individuals who operate machinery to be retained • If an organisation is obligated to retain personal data on former employees, generally these records should be archived, and internal access should be limited 161 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection Processing employee personal data Surveillance Direct marketing Internet technology and communications 162 BYOD Provide notice to employees and implement a BYOD policy Know where data is stored and the measures required to keep it secure Ensure secure transfer of data Know how to manage data held on the device Module 8: Compliance considerations Session notes BYOD • Bring your own device (BYOD) is an issue relevant to every stage in the employment lifecycle • BYOD poses certain data protection compliance issues since the employer remains responsible as a controller for any personal data processed on the employee’s device for work-related purposes • BYOD programmes open the door to greater risks to data protection, including data breaches, which could result in substantial penalties and fines under the GDPR Effective management of BYOD programmes: • Provide notice to employees explaining the consequences of signing up for BYOD and outlining the information the organisation will be able to access (Again, the employer must first have a lawful basis for processing personal data) • Implement a BYOD policy that: • Explains to employees how they can use BYOD and their responsibilities • Aligns with employment law and the GDPR • Protects personal data of individuals, such as employees, customers, patients and sponsors • Protects organisational data, such as intellectual property, financial information and trade secrets • Enables employee productivity • Mitigates network risks • Know where the data processed via the device is stored and the measures required to keep the data secure • Ensure the transfer of data from the device to the company’s server is secure to avoid interceptions • Know how to manage data held on the device once the employee leaves the company or the device is lost or stolen (for example, use of mobile device management software to locate devices and remove data on demand) Employers must not use background checks to create blacklists, which are generally illegal. 162 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 163 Employee monitoring Processing employee personal data Surveillance Direct marketing Internet technology and communications • Legal requirements • Types of monitoring • Necessity, legitimacy, proportionality and transparency Module 8: Compliance considerations Session notes Legal requirements • Member state data protection law and local employment law • GDPR: Employees’ rights and freedoms balanced against rights of employer; alternatives to monitoring always considered • Prevention rather than detection; e.g., blocking websites employer does not want employee to visit Types of monitoring • Background checks (e.g., verifying education background) • Data loss prevention (DLP) technology • Tools used to protect IT infrastructure and confidential business information from external and internal threats • Inevitably involves processing personal data • Whistleblowing schemes • U.S. Sarbanes-Oxley Act (2002): U.S. companies must have system in place to receive anonymous complaints about potential wrongdoing • Conflicting obligations for U.S. companies with EU subsidiaries/affiliates: protect identity of whistleblower (SOX) versus protect personal data of accused (EU) To monitor employees lawfully, employer must ensure monitoring is: • Necessary: Can you demonstrate monitoring is really necessary? • Legitimate: Do you have lawful grounds for processing? Is it fair? • Proportional: Is monitoring proportionate to issue? • Transparent: Have employees clearly been informed of monitoring? Personal data about employees collected through monitoring must be held security, accessed only by those within the organisation with legitimate reason to view it and deleted when there’s no longer a need to hold onto it (may be business need to retain it). 163 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection Processing employee personal data Compliance at a glance Surveillance Direct marketing Internet technologies and communications 164 Employee monitoring Necessity Legitimacy Would another, less intrusive method fulfil the need? Does the employer have lawful grounds for processing the data? Proportionality Transparency Is the monitoring proportionate to the issue? Have employees been informed of the monitoring? Module 8: Compliance considerations Session notes For review purposes 164 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection Processing employee personal data Surveillance Respect ‘the essence of the fundamental rights and freedoms’ Direct marketing 165 Legal surveillance Be a ‘necessary and proportionate measure in a democratic society’ Article 23 (GDPR) Internet technology and communications Data subject rights Module 8: Compliance considerations Session notes Surveillance: • The observation of an individual or group of individuals • May be covert or carried out openly, conducted in real time or by access to stored material Technology-based surveillance examples: Social networks analysis and mapping, data mining and profiling, aerial surveillance, satellite imaging, telecommunications surveillance, CCTV cameras, biometric surveillance, geolocation technologies Article 23 of the GDPR • Permits EU or member state law to restrict the rights granted in Chapter 3, ‘Rights of the data subject’ • Must respect ‘the essence of the fundamental rights and freedoms’ and be a ‘necessary and proportionate measure in a democratic society’ (as set out in the Charter and in the European Convention for the Protection of Human Rights and Fundamental Freedoms) EDPB ‘Guidelines 10/2020 Restrictions under Article 23 GDPR,’ Adopted 13 October 2021 • Restriction of data subject rights can only occur when the following interests are at stake and the restrictions safeguard such interests: • National security, defence and public security • Prevention, investigation, detection and prosecution of criminal offences or the execution of criminal penalties • Other important objectives of general public interest • Protection of judicial independence and judicial proceedings • Prevention, investigation, detection and prosecution of breaches of ethics for regulated professions • Monitoring • Protection of data subject rights • Enforcement of civil law claims 165 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection Surveillance Direct marketing Internet technology and communications • 166 Processing employee personal data Public versus private surveillance Public and state agencies – Charter of Fundamental Rights – LEDP Directive • Private entities – Legitimate purposes – National laws Module 8: Compliance considerations Session notes Developing technologies continue to break down barriers to surveillance. While public authorities and private-sector entities may have lawful purposes for surveillance, the broadening landscape of available data means broadening scope for invasion of privacy as well. Public and state agencies for national security or law enforcement purposes • Must be conducted in a manner to respect individual rights enshrined in the Charter of Fundamental Rights, specifically the right to a private and family life (Article 7) and protection of personal data (Article 8) • The Law Enforcement Data Protection Directive (LEDP Directive) • Recital 66: Although the processing of personal data must be lawful, fair and transparent, this should not prevent law enforcement authorities from carrying out activities (e.g., covert investigations and video surveillance) to: • Prevent, investigate, detect and prosecute criminal offences • Safeguard against and prevent threats to public security • Key requirements: lawfulness, necessity, proportionality and regard for legitimate interests of the natural person • Laws that fail to appropriately take into account the rights and freedoms of data subjects may be struck down by the CJEU Private entities • Surveillance by private entities must be based on legitimate purposes • In addition to the GDPR, national laws may concern confidentiality, privacy, data protection and other civil rights; e.g., employment law 166 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection Processing employee personal data Surveillance Direct marketing Internet technology and communications CC & BCC 167 Communications data Message delivery time Message creation time Priority Content data To/from Reply time Metadata Data about data Module 8: Compliance considerations Session notes Historically, communication surveillance has involved traditional surveillance activities, such as interception of postal services and human spies; however, surveillance of electronic communications is more prevalent today. Personal data generated from electronic communications is categorised as either the content of a communication or the metadata. Content data • Content of a communication • Protected by the right to freedom of expression, recognised by laws around the world, including the EU • Examples: a conversation between parties to a call, words comprising an SMS message, an email subject line, words in the main body of an email, attachments to an email Metadata • ‘Data about data’: Information generated or processed as a consequence of a communication’s transmission • Provides context to content • Falls within the GDPR’s definition of personal data because it can be used to identify an individual • Examples • Traffic data: Calling and called numbers in relation to a telephone call • Location data: Latitude, longitude and altitude of a user’s equipment, direction of travel, level of accuracy of location information, identification of the network cell (Cell ID) in which a user device is located at a certain time, time and location information was recorded • Subscriber data: Name of a subscriber, contact details, payment information 167 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection Processing employee personal data 168 The ePrivacy Directive User location: Thisbe’s Café What did your doctor say? Surveillance Direct marketing Received: Monday, 11am Internet technology and communications Module 8: Compliance considerations Session notes The ePrivacy Directive’s official title is Directive 2002/58, but it is known by different names, including the Cookie Directive and the Privacy and Electronic Communications Directive. It sets out rules governing the processing of location, content and traffic data over a public electronic communications network or publicly available communications system—in other words, data passing over public telephone or internet carriers, or services that use a public communications network. • Location data • For collection of individuals’ precise location-based data, opt-in consent is generally required (with the exception of carriers who need the data to provide the service) • Content data • Article 5(1): The confidentiality of the content of communications must be ensured and cannot be intercepted or disclosed to third parties unless there is consent from all users • Article 15(1): Member states can introduce some exemptions if necessary for very limited purposes • Traffic data • Access to traffic data is limited • Telecommunications carriers can process traffic data for the purpose of conveying communications and possibly for some limited marketing activities with the user’s consent • Private networks (e.g., a corporate intranet) • ePrivacy rules do not apply • Monitoring considerations, as discussed earlier in this module, are still relevant • Provision allowing for the interception of a communication when an organisation has a lawful business purpose for accessing data going through their public networks • Member states, under their individual laws, may pass legislation defining lawful business purposes 168 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 169 CCTV Processing employee personal data • Lawfulness of processing Surveillance • Prior checking Direct marketing Internet technology and communications • DPIA • Proportionality • Information provision • Individual rights • Measures to protect personal data and rights of individuals Module 8: Compliance considerations Session notes Closed circuit television—and other modes of video surveillance (CCTV) • Lawfulness of processing: Prior to carrying out surveillance, the controller should determine the lawfulness of processing (consent likely not possible), including for biometric data (Article 9) • A controller may need to rely on a provision in member state law to conduct video surveillance in a particular context • A decision to use CCTV should be made only if other, less-intrusive solutions that do not require image acquisition have been considered and found to be clearly inapplicable or inadequate for the intended lawful purpose (A DPIA should document these investigations and inadequacies) • Data protection impact assessment: A DPIA is required in some circumstances—if the video surveillance is considered to be high risk, if it involves the systematic monitoring of a publicly accessibly area on a large scale, or if video surveillance has been included by the relevant supervisory authority on a list of data processing operations that require a DPIA • Prior checking: In many countries, using CCTV triggers the requirement to notify the local regulator and, in some circumstances, seek authorisation • Proportionality: The particular system and technology used for surveillance should be proportional to the purpose (e.g., Remote control, zooming functionality, facial-recognition, and sound-recording may not be necessary) • Key aspects of the CCTV and processing of its footage must be proportionate to the purpose, such as the visual angle so that monitoring of irrelevant spaces is minimised • Information provision: For overt video surveillance, controllers must comply with the transparency requirement of the GDPR where the controller may not have a direct relationship with the affected data subjects (e.g., camera covering large, public space) • As the information that may be made available via a sign is unlikely to contain all the details prescribed by Articles 13 and 14 of the GDPR, the controller should be prepared to provide the full information necessary when a data subject makes contact • Individual rights: Under the GDPR, data subjects have rights related to the processing of their personal data (e.g., right to access, yet may pose the challenge of protecting others’ privacy) • Measures to protect the personal data and rights of individuals: These may include staff training, a CCTV policy, and regular reviews to ensure compliance 169 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection Processing employee personal data Social networking Navigation Surveillance Direct marketing Internet technology and communications 170 Location data Advertising/ marketing Entertainment Information Security Gaming Emergency response Tracking goods/ people services Payment Commerce Module 8: Compliance considerations Session notes Location-based services (LBS) utilise information about location to deliver a wide array of applications and services. LBS may be derived from satellite network-generated data, such as GPS; cell-based, mobile network-generated data; and chip-card generated data. Location data is referred to as an identifier in the GDPR’s definition of personal data. If location data can be used alone or in combination with other information to identify someone, then it should be considered personal data. Google has identified three main areas of location data that it uses to deliver its services: • Implicit location information, such as search terms • Internet traffic information, such as IP addresses • Device-based location services, such as Google Maps 170 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection Processing employee personal data Surveillance Direct marketing 171 Biometric data Examples: • DNA • Fingerprints • Retina and eye patterns • Voice • Gait Internet technology and communications Module 8: Compliance considerations Session notes Biometrics data defined in Article 4(14) of the GDPR as ‘personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data’. Main uses of biometrics systems: Identification: Who are you? (i.e., photographs loaded up to social media; identification of individuals through facial recognition) Authentication: Are you who you claim to be? (i.e., fingerprint to authenticate identity when accessing a mobile device, computer; palm print to access a secure building) Article 9: For biometric data to be included as a special category, the purpose for processing must be for uniquely identifying a natural person 171 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection Processing employee personal data 172 Direct marketing Definition Surveillance Direct marketing Internet technology and communications Module 8: Compliance considerations Session notes What is direct marketing? • Former Article 29 Working Party: To fall under the scope of direct marketing, a communication, by whatever means of any advertising or marketing material, should be directed to particular individuals • Messages that do not process personal data to communicate the marketing message or those that are purely service-related in nature are not direct marketing 172 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 173 Chat Let’s talk about… Why is direct marketing one of the most complex areas of data protection law? Module 8: Compliance considerations Chat: Let’s talk about… Why is direct marketing one of the most complex areas of data protection law? 173 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 174 Processing employee personal data GDPR Direct marketing rules Surveillance Direct marketing Internet technology and communications • All direct marketing communications • Targeted online advertising • Absolute right to object to any form of direct marketing • Controller requirements Module 8: Compliance considerations Session notes Direct marketing is regulated both by the GDPR and the ePrivacy Directive (discussed on the following slide). The GDPR: • Applies to all direct marketing communications, regardless of channel • Applies to online advertising targeted at individuals based on their internet browsing history • Provides individuals an absolute right to object to any form of direct marketing at any time • Extends to processing based on legitimate interest • Requires controllers to: • Explicitly and clearly inform individuals of their right to opt out at the time of the first communication with them • Allow individuals to opt out across all marketing channels • Honour opt-out requests in a timely fashion and at no cost to the individual • Remove personal data and profiling after an individual has opted out (unless retention of personal data is strictly required) • Controllers should suppress rather than delete contact details because they do not want to risk reacquiring that individual’s details later and beginning marketing to them again • Ensure all compliance requirements under the GDPR are met Some member states require controllers to cleanse their contact lists against applicable national opt-out registers before sending direct marketing. 174 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection Surveillance Direct marketing Postal marketing Telephone marketing 175 Processing employee personal data ePrivacy Directive direct marketing rules Electronic mail marketing Internet technology and communications Module 8: Compliance considerations Session notes In addition to the GDPR, direct marketing is regulated by the ePrivacy Directive, which applies to ‘digital’ marketing communications—direct marketing communicated over electronic communications networks, such as by phone, fax, email and SMS or MMS. The ePrivacy Directive: • Specifies rules that impact the use of online behavioural advertising • Differs in interpretation and enforcement across member states (e.g., B2B marketing) • Requires that specific information is provided to recipients (e.g., a valid address to which they can send an optout request that is appropriate to the medium of the marketing communication) • Postal marketing is not subject to the ePrivacy Directive • Telephone marketing (telemarketing) is subject to the ePrivacy Directive • Article 13(3): Member states decide whether person-to-person telemarketing should be conducted on an opt-in or opt-out basis • Individuals must have a means to opt out for free • Most member states have implemented national opt-out registers, which typically must be checked against the controller’s call lists • Consent is required for marketing through automated calling systems • Electronic mail marketing is subject to the ePrivacy Directive • Electronic mail marketing: Email and SMS/MMS • In general, prior consent is required • Limited exemption from the strict opt-in requirement for direct marketing by electronic mail to individuals whose details the data controller obtained ‘in the context of the sale of a product or service’ is allowed • The controller must market its own similar products and services • Individuals must have the ability to opt out at the time their contact details are collected • Individuals must be reminded of their ability to opt out in each subsequent marketing communication 175 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection Processing employee personal data Surveillance Direct marketing Internet technology and communications 176 ePrivacy Directive Direct marketing rules at a glance Marketing channel Business-toconsumer requirements Business-tobusiness requirements Post Opt-out Opt-out Phone Opt-out Opt-out (check register) Email and SMS Opt-in (unless opt-out rule applies) Opt-out Module 8: Compliance considerations Session notes For review purposes 176 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection Processing employee personal data 177 Web cookies • GDPR – Recital 30 Surveillance Direct marketing Internet technology and communications – Determining the controller – Consent • ePrivacy Directive – Article 5(3) – ‘Strictly necessary’ cookies exempt Module 8: Compliance considerations Session notes • GDPR • Recital 30: Where the information collected from cookies is personal data, its collection and analysis amount to processing subject to the GDPR • Who is a controller? • The website operator is a controller of the personal data gathered by its own first party cookies • Where the third party determines the means and purposes of processing of the personal data gathered from its third-party cookies, it is a controller • Many organisations now rely on consent to process personal data in the form of online identifiers • Article 4: Consent is any ‘freely given, specific, informed and unambiguous indication of a data subject’s wishes’ • Article 7: Consent must be presented separate from other matters in ‘an intelligible and easily accessible form, using clear and plain language’ • ePrivacy Directive • Article 5(3): Under member state law, organisations must obtain prior informed consent for storage or access to information stored on a user’s terminal equipment • ‘Strictly necessary’ cookies and those used solely for carrying out communication transmission are exempt from the consent requirement • Prior to the GDPR, valid consent under the ePrivacy Directive—as implemented in member state laws—was widely interpreted to be met with a visible pop-up notice announcing the use of cookies, followed by the user’s continued use of the site. Given the GDPR’s requirement of ‘specific, informed, and unambiguous indication’ of consent, many organisations now are requiring users to affirmatively interact with the cookie banner, if not also use a consent tool. The CJEU recently clarified cookie consent requirements in that consent: must be obtained through active behavior; applies to processing and storing non-personal data information; include information regarding cookie duration and access by third parties In addition to provisions under EU law, best practices around the use of cookies include storing only encrypted personal data, providing notice, using persistent cookies only if justified by the need, and setting reasonable expiration dates for cookies. 177 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 178 Processing employee personal data Online behavioural advertising (OBA) football gear Surveillance Direct marketing Popular products ½ OFF! Internet technology and communications • GDPR SALE! • ePrivacy Directive Module 8: Compliance considerations Session notes OBA is website advertising targeted at individuals based on the observation of their behaviour over time. OBA increasingly happens through third-party advertising networks. • Third-party advertising networks have relationships with partnering website publishers that enable it to place cookies on individuals’ computers with unique identifiers • As websites track individuals’ website activities, profiles are assigned to unique identifiers, enabling ad networks to deliver advertising based on individuals’ interests GDPR • Clearly identifies information collected for OBA purposes as personal data; its definition of personal data specifically provides ‘online identifier’ as an example • According to the former Article 29 Working Party, all parties to a third-party ad network relationship potentially may attract compliance responsibilities under the GDPR (the ad network itself, which will often qualify as a controller; a website publisher, which may qualify as a joint controller; and advertisers, which may qualify as independent controllers) ePrivacy Directive • Will generally apply to OBA regardless of whether or not OBA information collected from individuals constitutes personal data • Article 5(3) (amended, 2009): The use of cookies to store or access information in an individual’s computer is allowed only on the condition that the individual concerned has given their consent, having been provided with clear and comprehensive information 178 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection Processing employee personal data Surveillance Direct marketing Internet technology and communications 179 Cloud computing When may a cloud services supplier be considered a controller? • When it determines substantial and essential elements of the means of processing (some circumstances) • When it processes data for its own purposes • When it determines aspects of the processing outside the controller’s instructions Module 8: Compliance considerations Session notes Because a controller has significantly more obligations under the GDPR, distinguishing between the controller and processor in a customer-cloud services supplier relationship is essential. This distinction may not always be clear. A cloud services supplier may determine technical and organisational means of processing (for example, hardware) and remain a processor. Even if the cloud provider is not directly subject to the GDPR, the cloud provider’s customer may be subject to it, in which case the data processing contract should contain required controls and obligations as set out in the GDPR. The EU does not have specific legislation regarding cloud computing; however, the technology-neutral GDPR, where applicable, sets out controller and processor obligations. Determining whether the GDPR applies to cloud computing services, as according to Article 3 of the GDPR, may pose challenging for cloud service providers. As covered in Module 4, Article 3 applies where either: • The processing relates to the activities of an EU establishment of the controller • Or the processing relates to offering goods or services to individuals in the EU, or to monitoring their behaviour, even when the controller or processor is not established in the EU 179 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection Processing employee personal data 180 Search engines Who are controllers of personal data? Search engines Search engine marketers Surveillance Direct marketing Internet technology and communications Module 8: Compliance considerations Session notes Search engines are services that find information on the internet. They process large volumes of data, routinely including user IP addresses, cookies, user log files and third-party web pages. Who is a controller of personal data processed by search engines? • Search engines: Because search engines determine the purposes and means of processing data about their users, they are controllers of that personal data • Google v. AEPD • In 2014, the CJEU ruled on the Google v. AEPD case, which required that Google remove from its search results links to a 1998 newspaper article about the plaintiff’s foreclosed house • This established that search engines are also controllers of the personal data contained in thirdparty web pages • Because of the Google v. AEPD decision, search engines outside the EU are also likely subject to the GDPR in respect of their processing of personal data contained in third-party web pages if they have an EU establishment whose activities are economically linked to the search engine’s core activities • EDPB Guidelines 5/2019 lists • Grounds of the right to request delisting include unlawful processing, legal obligation and personal data is no longer necessary in relation to the processing • Exceptions to the right to request delisting include freedom of expression and information, public interest in the area of public health and legal claims • Search engine marketers: When web traffic data is processed by search engines and provided as analytics, such as Google Analytics, to search engine marketers that fall within the scope of the GDPR, the organisations conducting the search engine marketing are also controllers • Search engine marketers can take certain steps to ensure that aspects of the web traffic analysis process are anonymised (e.g., ensuring that data, including IP addresses, is not stored in Google Analytics even after the user has accepted the placement of cookies; anonymising IP addresses before storage or processing takes place) 180 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 181 Social networking services Processing employee personal data Surveillance Direct marketing Internet technology and communications • Who is a controller? • Sensitive, third-party and children’s personal data Module 8: Compliance considerations Session notes Social networking services (SNS) create opportunities for various parties and individuals to collect and use personal data. As a result, there may be multiple controllers. Who is a controller? • Social networking services because they provide platforms for publishing and exchanging personal information, as well as determine the use of personal information for advertising purposes • Authors of applications designed for SNS platforms that provide services in addition to the SNS • Users who act on behalf of an organisation • User knowingly extend access to personal data beyond selected contacts Sensitive, third-party and children’s personal data • Sensitive personal data: Explicit consent usually is required to publish personal data on the internet, unless it is published by the data subject. An SNS requesting personal data (for example, for an individual’s profile) must ensure the individual knows that provision of the data is voluntary. • Third-party personal data: If third-party individuals’ personal data is published (for example, photo tags), the SNS must have a legal basis for processing that personal data. According to the former Article 29 Working Party, thirdparty data of individuals who are not members of the SNS may not be aggregated to form profiles of those individuals. • Children’s data: As discussed in Module 4, processing children’s data on the basis of consent requires parental consent. This applies to children under 16 years old; member States may lower this age limit to 13 years old. Processing on the grounds of legitimate interest may not be possible (GDPR, Article 6[f]). According to the former Article 29 Working party, a controller should have regard for the best interests of the child. 181 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 182 Chat Let’s talk about… How can an SNS be transparent about its processing of personal data? Module 8: Compliance considerations Chat: Let’s talk about… How can an SNS be transparent about its processing of personal data? EDPB “Guidelines 8/2020 on the targeting of social media users,” Adopted 13 April 2021 • Identifies the actors and roles of social media: Users, social media providers, targeters and other relevant actors (Marketing service providers, ad networks, data brokers and data analytics companies) • Users may be targeted on the basis of: • Provided data • Must be able to demonstrate a legal basis for processing via consent or legitimate interest • Observed data • Users must be provided with clear and comprehensive information about the purposes of processing prior to giving consent • Inferred data • Typically involves profiling. In order for processing to be lawful, the controller must conduct caseby-case assessment (will targeting have a “similarly significant effect” on a data subject), obtain consent and ensure requirements of Article 5 are observed. 182 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection Processing employee personal data 183 Artificial intelligence Simulation of human intelligence created by machines and computers • Ability to learn, reason and evaluate to make automated decisions Surveillance Direct marketing Internet technology and communications Module 8: Compliance considerations Session notes Artificial intelligence is the simulation of human intelligence created by machines and computers. With the ability to learn, reason and evaluate, AI can replace humans and act on their own to make automated decisions. Machine learning, which is a type of AI, is driven by available data. The machine learns to identify patterns in the data and applies that to new data. This enables better understanding of human behaviors and activities. Provisions within the GDPR affect the AI functions of automated decision-making. Article 22, discussed in Module 5, highlights data subject rights in connection with profiling and automated decision-making. Organisations implementing AI technology will want to ensure privacy regulations are being met in conjunction with the technology. The EU initiative on AI includes: • Boosting the technological and industrial capacity and AI uptake across the public and private sectors • Preparing for socio-economic changes as AI modernises education, training, labour markets and social protection systems • Focusing on high-risk uses of AI • Restricting certain practices, such as use of facial recognition in publicly accessible places for law enforcement • Guaranteeing human oversight of AI systems • Ensuring ethical principles • Respect for human autonomy, prevention of harm, fairness and explicability Resources: European Commission: Strategy for Artificial Intelligence https://digital-strategy.ec.europa.eu/en/policies/strategy-artificial-intelligence Ethic guidelines for Trustworthy AI https://iapp.org/media/pdf/resource_center/AIEthicsGuidelinespdf.pdf 183 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 184 Review question 1. Which types of laws should be considered when processing employees’ personal data? Select all that apply. A. Local employment law B. EU data protection law C. Member state data protection law Module 8: Compliance considerations Review question NOTE: Review questions are intended to help reinforce key topics covered in the module. They are not meant to represent actual certification exam questions. 1. Which types of laws should be considered when processing employees’ personal data? Select all that apply. A. Local employment law B. EU data protection law C. Member state data protection law 184 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 185 Review question 2. Under the GDPR, which legal basis for processing personal data would be difficult to use for processing employee data? A. Fulfilment of an employee contract B. Legal obligation C. Legitimate interests of the employer D. Consent Module 8: Compliance considerations Review question 2. Under the GDPR, which legal basis for processing personal data would be difficult to use for processing employee data? A. Fulfilment of an employee contract B. Legal obligation C. Legitimate interests of the employer D. Consent 185 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 186 Review question 3. True or false: Some employers may be required to consult with works councils and/or trade unions to process employees’ personal data. Module 8: Compliance considerations Review question 3. True or false: Some employers may be required to consult with works councils and/or trade unions to process employees’ personal data. 186 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 187 Review question 4. True or false: BYOD policies are designed to protect employees’ personal data only. Module 8: Compliance considerations Review question 4. True or false: BYOD policies are designed to protect employees’ personal data only. 187 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 188 Review question 5. True or false: Alternatives to employee monitoring should always be considered first. Module 8: Compliance considerations Review question 5. True or false: Alternatives to employee monitoring should always be considered first. 188 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 189 Review question 6. The ePrivacy Directive governs the processing of which types of data? Select all that apply. A. Location data B. Content data C. Traffic data Module 8: Compliance considerations Review question 6. The ePrivacy Directive governs the processing of which types of data? Select all that apply. A. Location data B. Content data C. Traffic data 189 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 190 Review question 7. True or false: The ePrivacy Directive governs the processing of data through both private and public carriers and communications networks. Module 8: Compliance considerations Review question 7. True or false: The ePrivacy Directive governs the processing of data through both private and public carriers and communications networks. 190 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 191 Review question 8. True or false: Under the GDPR, individuals have the absolute right to object to any form of direct marketing at any time. Module 8: Compliance considerations Review question 8. True or false: Under the GDPR, individuals have the absolute right to object to any form of direct marketing at any time. 191 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 192 Review question 9. Which forms of marketing are subject to the ePrivacy Directive? Select all that apply. A. Postal marketing B. Telephone marketing C. Electronic mail marketing Module 8: Compliance considerations Review question 9. Which forms of marketing are subject to the ePrivacy Directive? Select all that apply. A. Postal marketing B. Telephone marketing C. Electronic mail marketing 192 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 193 Review question 10.Which of the following parties involved in online behavioural advertising may qualify as a data controller? Select all that apply. A. An ad network B. A website publisher C. An advertiser Module 8: Compliance considerations Review question 10. Which of the following parties involved in online behavioural advertising may qualify as a data controller? Select all that apply. A. An ad network B. A website publisher C. An advertiser 193 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 194 Learning objectives Module 9: Security of processing • Summarise the considerations and duties of controllers and processors for ensuring the security of personal data • Describe four major attributes of secure processing systems and services • Describe requirements and best practices for ensuring security of personal data • Outline the requirements related to informing the supervisory authority (SA) and data subjects of a data breach Module 9 learning objectives • Summarise the considerations and duties of controllers and processors for ensuring the security of personal data. • Describe four major attributes of secure processing systems and services. • Describe requirements and best practices for ensuring security of personal data. • Outline the requirements related to informing the supervisory authority (SA) and data subjects of a data breach. 194 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 195 You can have security without data protection, but you cannot have data protection without security. Module 9: Security of processing Session notes You can have security without data protection, but you cannot have data protection without security. • The majority of data protection enforcement in Europe is related to security incidents • Data protection and security are related but not the same • Security supports compliance with GDPR in many ways 195 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 196 Security of processing Attributes of security controls Confidentiality Integrity Availability Resilience Module 9: Security of processing Session notes Attributes of security controls (Article 32[1][b]) • ‘CIA’ should be well-known to InfoSec professionals, but perhaps new to others • Confidentiality: Individuals, entities, systems or applications access data on a need-to-know basis • Integrity: Controls are in place to ensure data is accurate and complete • Availability: Data is accessible when needed for a business activity • Resilience • New attribute in GDPR • Data is able to withstand and recover from threats 196 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 197 Chat Knowledge check Gina is working from home today. She is trying to access client data she needs from her organisation’s remote connection; however, she cannot remember her access password. She emails her coworker in the IT department for help. They provide her with a link that will allow her to reset her password. After answering a security question correctly, Gina resets her password and accesses the secure client data she needs. Which of the four security attributes does this scenario exemplify? Module 9: Security of processing Chat: Knowledge check Gina is working from home today. She is trying to access client data she needs from her organisation’s remote connection; however, she cannot remember her access password. She emails her coworker in the IT department for help. They provide her with a link that will allow her to reset her password. After answering a security question correctly, Gina resets her password and accesses the secure client data she needs. Which of the four security attributes does this scenario exemplify? • Confidentiality • Integrity • Availability • Resilience 197 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 198 Security of processing What does the GDPR say about security? Article 32 The controller and the processor shall provide ... Appropriate technical and organisational measures To ensure ... A level of security appropriate to the risk Taking into account ... State of the art, costs, nature, context, scope and purpose Module 9: Security of processing Session notes What does the GDPR say about security? (Article 32) • The controller and the processor shall provide … • • • • • Appropriate technical and organisational measures • What is appropriate security? • The law does not specify The law does not require absolute security (a breach may still be possible) To ensure … • A level of security appropriate to the risk • Risks may include accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to personal data • Risk-based approach requires a risk assessment • Risk assessment determines controls Taking into account … • State of the art: Security controls should be chosen based on a consensus of professional opinions • Costs of implementation: Controls should reflect good management decisions • Nature (e.g., special categories) • Context in which processing is taking place (e.g., investigating an employee suspected of wrongdoing) • Scope (i.e., how much data) • Purpose of processing • In addition, the entire information life cycle should be considered, including potential security threats and harm that may come to personal data Certification mechanisms and codes of conduct may be used to demonstrate compliance • These must be approved by supervisory authorities 198 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection The technology stack The physical environment Encryption, antivirus and antispam technology, firewalls, identity and access management, incident detection, data loss prevention, two-factor authentication, IP log management, regular security code peer review Sophisticated entry control systems, closed-circuit television (CCTV), lock-and-key and clean-desk policies 199 Protection mechanisms Module 9: Security of processing Session notes • The technology stack • Electronic information main focus of data protection law • Security-enhancing technologies: encryption, antivirus and antispam technologies, firewalls, identity and access management, incident detection, data loss prevention, two-factor authentication, IP log management, regular security code peer review • A key focus of security technologies: filtering electronic communications and monitoring use of IT and communication systems • Often involves complex privacy and employment law issues (see Module 8) • Testing the ability of the technology stack to withstand cyberattacks and misuse • Penetration (pen) testing by ‘ethical hackers’ and testing coding security • The physical environment • Sophisticated entry control systems, closed-circuit television (CCTV), lock-and-key and clean-desk policies • Subject to same restrictions as other monitoring controls EDPB “Guidelines 3/2019 on processing of personal data through video devices,” Adopted 29 January 2020 • Lawfulness of processing: legitimate interest • Necessity to perform a task carried out in public interest • Disclosure of video footage to third parties: general purposes and law enforcement agencies • Processing of special categories of data (Article 9 may apply; general considerations for biometric data) • Rights of the data subject (access, erasure, object, forgotten) • Transparency and information obligations (warning signs) • Storage periods and obligation to erasure • Implement technical and organisational measures proportional to the risks to right and freedoms of natural persons 199 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 200 Security of processing Article 28: The controller-processor relationship Controller Processor ‘Sufficient guarantees’ Security Contracts and assurance mechanisms Module 9: Security of processing Session notes See also Module 3. Article 28: The controller-processor relationship • Article 28(1): flow down security principle and requirements to the processor • Processors must be limited to those who can provide ‘sufficient guarantees’ about the implementation of appropriate technical and organisational measures for compliance with the Regulation and for the protection of the rights of data subjects’ • ‘Sufficient guarantees’: Much more than contracts • Assurance mechanisms: Appropriate checking and vetting of the processor by the supplier via a third-party assessment of certification validations, before and after creating a contract 200 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 201 Security of processing Data breach notifications Processor Controller Controller Supervisory authority Controller Data subject Module 9: Security of processing Session notes Data breach notifications • • Article 4(12): Personal data breach definition • Accidental or unlawful • Breach of security leading to: accidental or unlawful destruction, loss, alteration, unauthorised disclosure and access • Personal data transmitted, stored and otherwise processed Processor notification duty • • Article 33(2): Notification to controller • Without ‘undue delay’ • Timed from becoming ‘aware’ of breach Controller notification duties • Article 33(1): Notification to SA • Without ‘undue delay’ and within 72 hours after becoming aware of the breach • • When does a controller become aware of a breach? ‘When that controller has a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised’ (Former Article 29 Working Party) • Delay permitted if ‘reasoned justification’ • Exempt if unlikely to result in a risk to the rights and freedoms of natural persons Article 34: Notification to data subject • Applies if ‘high risk’ • Without ‘undue delay’ • Exemptions for: ‘Unintelligible data’, high risk negated by measures taken and disproportionate effort = public communication • Regardless of controller’s decision, SA may decide data subject shall be notified 201 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 202 Security of processing Data breach notifications Supervisory authority Controller  Who  Contact  How many  Consequences  What types  Follow-up Controller Data subject  Clear and plain language Module 9: Security of processing Session notes Data breach notifications • Controller to SA • Who? • • How many? • • Categories of data records Contact • Name and contact details of data protection officer (or other contact point if additional information can be obtained) • Description of likely consequences • Follow-up • • Approximate number of data subjects and data records What types? • • Categories of data subjects Measures taken or to be taken Controller to data subject • Clear and plain language 202 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 203 Security of processing Notification rules in summary Personal data breach: ‘A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’ (Article 4[12]) Notification to controllers (Article 33[2]) Notification to supervisory authority (Article 33 [1]) • Sole notification duty for processors • Without ‘undue’ delay • Without ‘undue delay’ and within 72 hours • Delay permitted if ‘reasoned justification’ • Timed from becoming ‘aware’ of breach • Exempt if ‘unlikely’ to result in risk Notification to data subjects (Article 34) • Applies if ‘high risk’ • Without ‘undue delay’ • Exemptions for: • (a) ‘unintelligible data’ • (b) high risk negated by measures taken • (c) disproportionate effort = public notice Module 9: Security of processing Session notes For review purposes 203 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 204 Chat Your outlook Under what circumstances would a data breach result in a high risk to the rights and freedoms of individuals? Module 9: Security of processing Chat: Your outlook Under what circumstances would a data breach result in a high risk to the rights and freedoms of individuals? Follow-up chat When would a breach not pose a high risk? 204 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 205 NIS Directive Directive on security of network and information systems • 9 May 2018 • First EU-wide cybersecurity law • Three focuses 1) National capabilities 2) Cross-border collaboration 3) National supervision of critical sectors Module 9: Security of processing Session notes NIS Directive • Effective 9 May 2018 • First cybersecurity law to cover entire EU • While not specifically concerned with personal data, will indirectly bolster its security within organisations regulated by the Directive • Three focuses • National capabilities: Compel development of national cybersecurity strategies and structures by EU member states • National Computer Security Incident Response Teams (CSIRTs) • Cybersecurity regulators • Operators of ‘essential services’ • Cross-border collaboration: Enhance cooperation between the member states • Cooperation Group to coordinate CSIRTs and develop best practices • National supervision of critical sectors: Improve security levels of operators of essential services (energy, water, transport, health and banking sectors) and digital service providers (online marketplaces, online search engines and cloud computing services) • Member state laws that set out security requirements and incident notification requirements for these entities 205 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 206 Enforcement action German state DPA issues country's first GDPR fine (2018) IAPP, “German state DPA issues country's first GDPR fine,” Daily Dashboard, 26 November 2018, https://iapp.org/news/a/german-state-dpa-issues-countrys-first-gdpr-fine. Session notes German state DPA issues country's first GDPR fine (2018) The data protection authority of Baden-Württemberg administered the first fine in Germany for violations of GDPR, according to a blog post from Hogan Lovells' Chronicle of Data Protection. The DPA fined an unnamed social media provider 20,000 euros after it suffered a data breach. The social media company informed affected users of the breach and the agency of its security failings. The DPA decided to penalise the company after the agency discovered it stored passwords in plain text, a violation of Article 32 of the GDPR. 206 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 207 Enforcement action CNIL issues 400K euro fine for GDPR violations (2019) IAPP, “CNIL issues 400K euro fine for GDPR violations,” Daily Dashboard, 6 June 2019, https://iapp.org/news/a/cnil-issues-400k-euro-fine-for-gdpr-violations. Session notes CNIL issues 400K euro fine for GDPR violations (2019) France's data protection authority, the CNIL, fined the real estate company Sergic 400,000 euros for violations of the GDPR. A complaint received by the CNIL alleged users could access documents from other individuals on the site by modifying a URL. The documents contained individuals' identity cards, tax notices, account statements and other information. An investigation conducted by the DPA found Sergic was aware of the vulnerability since March 2018. The DPA discovered Sergic did not implement any form of user authentication for those who could access the documents, which factored into the decision to penalise the company. 207 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 208 1. CIAR stands for _____. Review question A. Continuity, information, access, risk assessment B. Confidentiality, information, availability, risk assessment C. Confidentiality, integrity, availability, resilience D. Continuity, integrity, access, resilience Module 9: Security of processing Review question NOTE: Review questions are intended to help reinforce key topics covered in the module. They are not meant to represent actual certification exam questions. 1. CIAR stands for _____. A. Continuity, information, access, risk assessment B. Confidentiality, information, availability, risk assessment C. Confidentiality, integrity, availability, resilience D. Continuity, integrity, access, resilience 208 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 209 Review question 2. True or false: A processor is responsible for implementing appropriate technical and organisational measures to keep personal data secure. Module 9: Security of processing Review question 2. True or false: A processor is responsible for implementing appropriate technical and organisational measures to keep personal data secure. 209 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 210 3. A controller must notify the SA of a personal data breach if _____. Review question A. The breach is likely to result in a risk for the rights and freedoms of natural persons. B. The breach is likely to result in a high risk for the rights and freedoms of natural persons. Module 9: Security of processing Review question 3. A controller must notify the SA of a personal data breach if _____. A. The breach is likely to result in a risk for the rights and freedoms of natural persons. B. The breach is likely to result in a high risk for the rights and freedoms of natural persons. 210 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 211 Learning objectives Module 10: Accountability • Recognise accountability implications of the GDPR’s Article 24 for controllers and processors • Outline steps for designing a data protection programme, including a data protection impact assessment and data protection policy • Summarise record-keeping requirements of controllers and processors • Describe the protections, tasks and responsibilities of data protection officers Module 10 learning objectives • Recognise accountability implications of the GDPR’s Article 24 for controllers and processors. • Outline steps for designing a data protection programme, including a data protection impact assessment and data protection policy. • Summarise record-keeping requirements of controllers and processors. • Describe the protections, tasks and responsibilities of data protection officers. 211 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 212 Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary. (Article 24[1]) Module 10: Accountability Session notes Accountability: The ability to demonstrate that a data protection programme has been implemented and run in compliance with the law. Article 24(1) • Nature, scope, context and purposes … as well as risks • • Appropriate technical and organisational measures • • • All technical and nontechnical measures Demonstrate • • Risk-based approach Records of controllers and processors available to SA Reviewed and updated • Continuous improvement and communication • Testing and auditing In practice: data protection programme • Data protection by design/by default • Data protection impact assessments (DPIAs) • Maintaining data processing records • Appointing data protection officer (DPO) Auditing privacy programs • DPAs have the ability to carry out audits and inspections of premises and processing equipment • Data protection written systems • Data protection business operations • DPAs can issue warnings to stop business activities if data processing practices are suspicious • Regulators have the right to conduct audits 212 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 213 Chat Share your experience What is data protection by design? Module 10: Accountability Chat: Share your experience What is data protection by design? 213 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection Design and default Records The DPO 214 Accountability 214 Data protection by design • Build data protection into products throughout their life cycles • Safeguards – Data minimisation – Pseudonymisation • Assess/mitigate risks Module 10: Accountability Session notes Implementation of technical and organisational measures should take place ‘both at the time of the determination of the means for processing and at the time of the processing itself’ (Article 25). Data protection by design • Build data protection into products throughout their life cycles • • Integrate necessary safeguards into the system • • Specifically at the time of planning the means and type of processing and during the processing itself, rather than as an afterthought GDPR examples: Data minimisation, pseudonymisation Assess/mitigate product risks to meet data protection by design requirements 214 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection Design and default Records The DPO 215 Accountability 215 Data protection by design Data protection by default • Data protection built • Data protective into product life lifecycles cycles settings are default • Safeguards – Data minimisation – Pseudonymisation • Assess/mitigate risks • Processing only necessary personal data • Limited accessibility Module 10: Accountability Session notes Data protection by default • Where a product/service provides users with multiple setting options, the most data protective settings are default • • By default, the product/service processes only necessary personal data • • Users have to opt-in to any setting that presents greater risks Considerations: purpose, amount of personal data collected, extent of processing and storage period Limited accessibility to personal data For practical examples of privacy by default, refer to Piotr Foitzik’s IAPP The Privacy Advisor article, ‘Privacy by default in online services’: https://iapp.org/news/a/privacy-by-default-in-online-services 215 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 216 Accountability Design and default Data protection impact assessment Records • Conditions The DPO • Contents • Considerations • Prior consultation with SA Risks Measures Module 10: Accountability Session notes Data protection impact assessment (DPIA) • To help incorporate data protection considerations into organisational planning • To help demonstrate compliance to supervisory authorities • Article 35: Considerations • Nature, scope, context, purpose, type of processing • Use of new technologies • Article 35: Conditions • High risk to rights and freedoms of data subject • Examples: systematic, extensive evaluation of personal aspects based on profiling or processing of special categories • Large-scale processing of special categories • Monitoring public areas systematically and on large scale • GDPR, Article 29 Working Party Guidelines on DPIAs and member state lists • SA may set out other specific processing operations that qualify as high risk • Article 35: Contents of DPIA • Description of processing • Assessment of necessity, proportionality and risks to rights and freedoms of data subject • Measures (controls) to address risks • Article 36: Prior consultation with SA • Prior to processing when DPIA indicates high risk to data subject • Contents: DPIA, responsibilities of controllers and processors, purposes and means of processing, measures and safeguards, and contact details of DPO • If SA thinks processing will not be compliant or controller has not sufficiently mitigated risks • Will provide advice to controller • Can block processing activities within eight weeks (six additional in complex situations) 216 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection Design and default Data protection policy Records • Language • Contents • Goals The DPO 217 Accountability Module 10: Accountability Session notes Data protection policy used ‘where proportionate in relation to processing activities’ (Article 24[2]). • Amongst other measures • As part of larger data protection programme • GDPR does not specify required contents Good practices for design: • Language • • • Use language that speaks to the recipients Contents • Communicate to the recipients what to do, what not to do and consequences • Use principles concretely (e.g., to explain a specific example) Goals • Consider how metrics may be used to demonstrate results • Ensure tasks are achievable, realistic, relevant and timely (e.g., do not refer to outdated technologies) 217 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 218 Chat Brainstorm Topics that may be covered in a data protection policy. Module 10: Accountability Chat: Brainstorm Topics that may be covered in a data protection policy Follow-up chat What types of metrics may be used to demonstrate results? 218 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection Design and default 219 Accountability Controller records Records The DPO Module 10: Accountability Session notes • SA may request copy of processing records from controller, processor and representatives • Recording obligation triggers for controllers and processors: Processing that … • Organisations of 250 or more employees • Is likely to result in risk to rights and freedoms of data subject • Is not occasional • Includes special categories of data or data relating to criminal convictions/offences Controller records (Article 30) • Purposes of processing • Name and contact information of controller, representatives and DPO • Categories of data subjects • Categories of personal data • Recipients • International data transfers and appropriate safeguards • Time limits for erasure • Technical and organisational security measures 219 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection Design and default Controller records 220 Accountability Processor records Records The DPO Module 10: Accountability Session notes Processor records (Article 30) • Name and contact information of processor, controller, representatives and DPO • Categories of processing • International data transfers and appropriate safeguards • Technical and organisational security measures Good practice: Keep a log of all processing activities to show competence/compliance of controllers, processors and representatives in the event of an incident. International data transfers: Additions of codes of conduct and certification mechanisms as adequacy mechanisms. EDPB issued guidance to help clarify procedures and rules regarding codes of conduct as well as on the accreditation of certification bodies under Article 43. 220 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection Design and default Role of the DPO • Staff member or contractor • Expert • Legally required position (under some circumstances) Records The DPO 221 Accountability Module 10: Accountability Session notes Role of the data protection officer (DPO) (Article 37) • Formerly Personal Data Protection Official under the Directive • Staff member or contractor • Appointed by controller or processor • Tasked with ensuring and demonstrating compliance with data protection law • Expert in data protection law and practices • Legally required position (under some circumstances) • • Core activities of controller or processor include: • Processing activities that require ‘regular and systematic monitoring’ of data subjects on ‘large scale’ • Processing sensitive data (or personal data relating to criminal convictions/offences) on a ‘large scale’ Processing by public bodies, other than courts acting in judicial capacity • Union or member state law • DPO appointed voluntarily • Still subject to GDPR requirements 221 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 222 Chat Let’s talk about… How does the Article 29 Working Party further define core activities, large-scale, and regular and systematic monitoring? Module 10: Accountability Chat: Let’s talk about… How does the Article 29 Working Party further define core activities, large-scale, and regular and systematic monitoring? 222 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection Design and default DPO tasks and responsibilities Records • Inform and advise controller and processors The DPO • Contributes to the DPIA process 223 Accountability • Monitor compliance • Cooperate with SA • Communicate with data subjects and SA • Exercise professional secrecy Module 10: Accountability Session notes DPO tasks and responsibilities (Articles 38–39) • • Monitor compliance with GDPR and Union or Member State data protection provisions • ‘Collect information to identify processing activities’ • ‘Analyse and check the compliance of processing activities’ • Manage internal data protection activities, train staff and conduct internal audits Inform and advise controllers, processors and employees who carry out processing • Provide advice in regard to DPIAs (whether or not to conduct one, methodology, in-house versus outsourced, safeguards, correct implementation and analysis of results in regard to compliance) • ‘Issue recommendations to the controller or the processor’ • Manage risk • Cooperate with SA • Communicate with data subjects and SA • Exercise professional secrecy 223 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection Design and default Controllers and processors ensure… Records • Access to personal data and processing operations The DPO 224 Accountability • Communication and involvement • Resources • Safeguards • DPO reports to highest level of management Module 10: Accountability Session notes Controller and processors ensure… • Communication with/involvement of DPO in all issues related to personal data protection • Access to personal data and processing operations • Resources to help DPO carry out tasks • • ‘Active support’ from senior management • ‘Sufficient time for DPOs to fulfil their duties’ • ‘Financial resources, infrastructure ... and staff’ • Communicating the DPO designation ‘to all staff’ • ‘Access to other services within the organisation’ • ‘Continuous training’ Safeguards to enable DPO to perform tasks independently • ‘No instructions by the controllers or the processors regarding ... the DPO’s tasks’ • ‘No dismissal or penalty ... for the performance of the DPO’s tasks’ • ‘No conflict of interest with possible other tasks and duties’ • • ‘The DPO cannot hold a position within the organisation that leads them to determine the purposes and the means of the processing of personal data’ DPO reports to highest levels of management 224 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 225 Accountability Summary of responsibilities Accountability • 225 requirement Controllers Processors Data protection by design Yes No Data protection by default Yes No Data protection impact assessments Yes (where required) No (but duty to assist Article 28 terms) Data protection officer Yes (where required) Yes (where required) Record-keeping Yes Yes Security Yes Yes Yes (to SAs and data subjects) Yes (to controller) Data breach reporting Module 10: Accountability Session notes None 225 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 226 Accountability Obligation to designate a representative in the EU Article 27 • Article 3(2) processing • Exceptions • Conditions for representation Module 10: Accountability Session notes Article 27 • Article 3(2) processing of personal data of data subjects in the EU by a controller or processor not established in the EU. Process activities are related to: • Offering goods or services or monitoring behaviour as far as their behavior takes place in the EU • Exceptions for processing: • Occasional, does not include, on a large scale, processing of special categories of data or processing of personal data relating to criminal convictions • And unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing • A representative should be established in member states of those data subjects • The representative must be mandated by the controller or processor to be addressed in addition to or instead of the controller or processor • In particular by supervisory authorities and data subjects • The designation of a representative must be made without prejudice to legal actions • Could be initiated against the controller or processor 226 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 227 Review question 1. True or false: Both controllers and processors have accountability obligations under the GDPR. Module 10: Accountability Review question NOTE: Review questions are intended to help reinforce key topics covered in the module. They are not meant to represent actual certification exam questions. 1. True or false: Both controllers and processors have accountability obligations under the GDPR. 227 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 228 Review question 2. True or false: Data protection by design begins before processing and incorporates data protection considerations into the planning phase. Module 10: Accountability Review question 2. True or false: Data protection by design begins before processing and incorporates data protection considerations into the planning phase. 228 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 229 Review question 3. What are the main values of a data protection impact assessment (DPIA)? Select all that apply. A. Incorporating data protection considerations into organisational planning B. Determining the purpose of processing personal data C. Demonstrating compliance to supervisory authorities Module 10: Accountability Review question 3. What are the main values of a data protection impact assessment (DPIA)? Select all that apply. A. Incorporating data protection considerations into organisational planning B. Determining the purpose of processing personal data C. Demonstrating compliance to supervisory authorities 229 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 230 Review question 4. True or false: The GDPR requires controllers to always contact the SA following a DPIA and before processing personal data. Module 10: Accountability Review question 4. True or false: The GDPR requires controllers to always contact the SA following a DPIA and before processing personal data. 230 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 231 Review question 5. True or false: The GDPR requires a data protection policy to be used ‘where proportionate in relation to processing activities’. Module 10: Accountability Review question 5. True or false: The GDPR requires a data protection policy to be used ‘where proportionate in relation to processing activities’. 231 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 232 Review question 6. Which of the following must be included in controllers’ personal data processing records but not in processors’ records? A. Purposes of processing B. International data transfers being made and the measures put in place to ensure they are lawful C. A general description of technical and organisational security measures that have been implemented Module 10: Accountability Review question 6. Which of the following must be included in controllers’ personal data processing records but not in processors’ records? A. Purposes of processing B. International data transfers being made and the measures put in place to ensure they are lawful C. A general description of technical and organisational security measures that have been implemented 232 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 233 Review question 7. True or false: The data protection officer must be an expert in data protection law and practices. Module 10: Accountability Review question 7. True or false: The data protection officer must be an expert in data protection law and practices. 233 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection Review question 234 8. Which of the following are circumstances that require an organisation to appoint a DPO? Select all that apply. A. The controller is a public authority. B. The core activities of the controller or processor include regular and systematic monitoring of data subjects on a large scale. C. The core activities of the controller or processor consist of large-scale processing of special categories of data. Module 10: Accountability Review question 8. Which of the following are circumstances that require an organisation to appoint a DPO? Select all that apply. A. The controller is a public authority. B. The core activities of the controller or processor include regular and systematic monitoring of data subjects on a large scale. C. The core activities of the controller or processor consist of large-scale processing of special categories of data. 234 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 235 Learning objectives Module 11: Supervision and enforcement • Describe the role, powers and procedures of the supervisory authorities (SA) • Describe the composition and tasks of the European Data Protection Board • Describe the role of the European Data Protection Supervisor • Summarise the remedies against, liabilities of, and potential penalties for controllers and processors, particularly administrative fines Module 11 learning objectives • Describe the role, powers and procedures of the supervisory authorities. • Describe the composition and tasks of the European Data Protection Board. • Describe the role of the European Data Protection Supervisor. • Summarise the remedies against, liabilities of, and potential penalties for controllers and processors, particularly administrative fines. 235 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 236 Supervision and enforcement The SA role • Promote, monitor and enforce GDPR application • Promote awareness • Conduct investigations • Protect fundamental human rights Module 11: Supervision and enforcement Session notes The SA role (Articles 51–57) • Also known as data protection authority (DPA) • Promote, monitor and enforce GDPR • Promote awareness • Help organisations understand their obligations under GDPR • Serve in advisory capacity so organisations may approach them for advice on data protection issues • Conduct investigations on GDPR compliance • Protect fundamental human rights, including … • Raise public awareness • Provide information to individuals upon request • Manage data subject complaints • Draw up annual reports that explain … • Data protection in their country • Current issues • Agenda for following year • Facilitate free flow of personal data within EU • Support fundamental role of EU to promote free trade and free movement of data 236 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 237 Chat Knowledge quest What powers do supervisory authorities have over controllers and processors? Module 11: Supervision and enforcement Chat: Knowledge quest What powers do supervisory authorities have over controllers and processors? Investigative • Order the controller/processor to provide information required for performance of its tasks Corrective Authorisation and advisory • Provide advice (prior consultation procedure) Order compliance with data subject request • Issue opinions to institutions, bodies, public • Issue warnings • Issue reprimands • • Conduct data protection audits • Review certifications • • • Notify controllers/processors of alleged GDPR infringements Order notification to data subject of breach Authorise processing of personal data (if required) • Order controller/processor to bring processing operations into compliance • Issue opinion/approve draft codes of conduct • Approve certification criteria • Order communication to data subject of data breach • Accredit certification bodies • • Ban processing (temporary or definitive) Issue certifications and approve criteria • • Order rectification, restriction or erasure of data Adopt standard data protection clauses • Authorise contractual clauses • Suspend international data transfers • • Withdraw certifications • Impose administrative fines Authorise administrative arrangements between public authorities/bodies for appropriate safeguards related to transfers • Suspend international data flows • Approve BCRs • • Obtain from controller/processor access to personal data necessary for performance of its tasks Obtain access to premises 237 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 238 Supervision and enforcement SA powers continued • Subject to appropriate safeguards • Member state law Module 11: Supervision and enforcement Session notes SA powers continued (Article 58) • Subject to appropriate safeguards, including effective judicial remedy and due process • Member state law • Provides SA with power to bring GDPR infringements to judicial authorities • May also provide for additional SA powers 238 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 239 Supervision and enforcement Identifying the lead supervisory authority for cross-border processing Controller or processor Single establishment Multiple establishments SA of the place of establishment SA of the place of main establishment—central administration Unless decisions about processing happen elsewhere Article 29 Data Protection Working Party, “Guidelines for identifying a controller or processor’s lead supervisory authority,” Adopted April 5, 2017, http://ec.europa.eu/newsroom/article29/itemdetail.cfm?item_id=611235. Session notes Before identifying the lead supervisory authority for cross-border processing, the controller/processor must determine if cross-border processing is taking place. The criteria for identifying the lead SA for an organisation with more than one establishment in the EU makes it possible for a company to have several lead SAs—if it conducts several cross-border activities whose related decisions take place in more than one location. • Lead supervisory authority: primary regulator responsible for cross-border processing activities of a controller/processor and coordinating operations of all SAs concerned • Cross-border processing • • ‘Processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State.’ • Or, ‘processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State’ Article 4(23). Article 29 Working Party: ‘Supervisory Authorities will interpret “substantially affects” on a case by case basis.’ If cross-border processing, identify the lead SA • Single establishment in the EU = SA of the place of establishment. • More than one establishment in the EU = SA of the place of central administration—unless decisions about purposes, means and implementation of processing take place at a different location. If so, the lead is the SA of that location. • Controller and processor both involved in the processing = default to controller’s lead SA. 239 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 240 Supervision and enforcement SA procedures • Cooperation • Mutual assistance • Joint operations • Consistency mechanism • Dispute resolution • Urgency procedure Module 11: Supervision and enforcement Session notes SA procedures (Chapter VII, GDPR) • Procedures intended to support cooperation between SAs and consistent GDPR application across member states • Procedures heavily summarised here • Cooperation • Between lead SA and other concerned SAs to reach consensus • Mutual assistance • Provision of relevant information between supervisory authorities • Joint operations • Joint SA investigations and enforcement measures of controllers or processors in several member states or when data subjects are in more than one member state • Consistency mechanism • Specific collaborative process between SAs, Commission and European Data Protection Board for adopting certain measures and ensuring consistent GDPR application • Dispute resolution • Mechanism to dispute a decision (if not jointly agreed upon by SA) • Issuance of binding decisions • Urgency procedure • For the immediate adoption of provisional measures within a member state 240 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 241 Supervision and enforcement The European Data Protection Board (EDPB) • Composition • Independence • Tasks Module 11: Supervision and enforcement Session notes European Data Protection Board (EDPB) (Section 3, GDPR) • Replaces Article 29 Working Party • Composition • Representatives of every member state’s SA • Each of the 30 member states of the EEA will appoint representative to sit on the EDPB • Only representatives from the 27 EU member states may actively participate • Presided over by chair elected by EDPB representatives • Participation from European Data Protection Supervisor (EDPS) and representatives of Commission • EDPS limited voting rights (more on EDPS on following slide) • Commission no voting rights • Independence • EDPB must act independently 241 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 242 Chat Let’s talk about… Is the Article 29 Working Party’s guidance still valid under the GDPR? Module 11: Supervision and enforcement Chat: Let’s talk about… Is the Article 29 Working Party’s guidance still valid under the GDPR? 242 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 243 Supervision and enforcement The European Data Protection Supervisor (EDPS) • Supervision and enforcement • Consultation • Cooperation • Secretariat of the EDPB Module 11: Supervision and enforcement Session notes The European Data Protection Supervisor (EDPS) • The data protection regulator for EU as an entity • Supervision and enforcement • Monitoring personal data processing of EU bodies (Commission, Council, Parliament, etc.) • Checking processing operations that pose high risk to data subjects (before processing) • Dealing with complaints • Making inquiries • Consulting • Consultation • Advising community • Intervening in cases before CJEU • Cooperation • Cooperating with supervisory authorities and supervisory data protection bodies (e.g., Europol) • Secretariat of the EDPB • Oversight of Eurodac 243 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 244 Supervision and enforcement Remedies, liabilities, penalties • Data subjects’ rights • Liability of controllers and processors • Administrative fines • Administrative penalties Module 11: Supervision and enforcement Session notes Remedies, liabilities, penalties (Articles 77–84) • • Data subjects’ rights • To lodge complaint with SA • To judicial remedy against a controller/processor or SA Liability of controllers and processors for damages caused by GDPR infringements • Compensation to individuals who suffer damages • Administrative fines (see following slide) • Additional penalties • Determination of penalties in addition to administrative fees made by member states 244 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 245 Chat Let’s talk about… What is the maximum amount in administrative fines that a controller or processor may receive for a GDPR infringement? Module 11: Supervision and enforcement Chat: Let’s talk about… What is the maximum amount in administrative fines that a controller or processor may receive for a GDPR infringement? 245 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 246 Supervision and enforcement Administrative fines Administrative fines • Depending on several factors • Up to €20,000,000 or 4% of total turnover (whichever is higher) • Up to €10,000,000 or 2% of total turnover (whichever is higher) Module 11: Supervision and enforcement Session notes Administrative fines • • Depending on several factors • Nature, gravity and duration of infringement • Nature, scope and purpose(s) of processing • Number of data subjects concerned • Level of damage and damage mitigation • Intent or negligence • Degree of responsibility (technical and organisational measures) • Previous infringements • Degree of cooperation with SA • Categories of personal data • Manner of notification • Compliance with measures ordered by SA • Adherence to approved codes of conduct/certification mechanisms Up to €20,000,000 or 4% of total turnover (whichever is higher) for infringements of principles, data subjects’ rights, international data transfers, obligations of member state law and noncompliance with SA’s order • • Infringements tend to be more substantive Up to €10,000,000 or 2% of total turnover (whichever is higher) for infringements of most other obligations • Infringements tend to be more administrative 246 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 247 Enforcement action CNIL levies $57M fine on Google for GDPR violations (2019) IAPP, “CNIL levies $57M fine on Google for GDPR violations,” Daily Dashboard, 22 January 2019, https://iapp.org/news/a/cnil-levies-57m-fine-on-google-for-gdpr-violations. Session notes Enforcement action: CNIL levies $57M fine on Google for GDPR violations (2019) The French data protection authority, the CNIL, announced it fined Google $57 million ‘in accordance with the General Data Protection Regulation ... for lack of transparency, inadequate information and lack of valid consent regarding the ads personalisation’. The CNIL said the ‘“one-stop-shop mechanism” was not applicable’, allowing it, along with other DPAs, to be a competent authority. According to the Wall Street Journal, Ireland's Data Protection Commission said, ‘Google until now hasn't met its criteria for having an establishment in Ireland, because its U.S. entity was responsible for processing EU users' data, rather than its Irish unit’. The DPC will ‘become Google's lead [DPA] in the EU for most matters’. Brave's Johnny Ryan said the ‘CNIL's decision is very significant because it means that Google must stop building advertising profiles about people until it has properly told them what it is doing and received their consent’. 247 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 248 Supervision and enforcement Administrative fines: Article 29 Working Party guidelines • SAs will consider the ‘nature, gravity and duration of the infringement’ • Some cases may only trigger a reprimand • The WP29 provides factors to consider when determining the potential size of a fine Module 11: Supervision and enforcement Session notes Former Article 29 Working Party’s ‘Guidelines on the Application and Setting of Administrative Fines’ • SAs will consider the ‘nature, gravity and duration of the infringement’ • Some cases may only trigger a reprimand • Where the infringement ‘does not pose a significant risk to the rights of the data subjects concerned and does not affect the essence of the obligation in question’ or if a fine would impose a ‘disproportionate burden’ on a ‘natural person’ • Factors to consider when determining the potential size of a fine: • Number of data subjects involved: The more people affected, the bigger the fine • Purpose of the processing: SAs will examine how the organisation has addressed the purpose limitation principle—purpose specification and compatible use • Damage suffered by data subjects: While SAs are not competent to award compensation to the data subjects themselves, they are encouraged to consider the damage suffered, or likely to be suffered, as suggested by examples of the ‘risks to rights and freedoms’ in Recital 75 • Duration of the infringement: Fines are more likely if the violation is a result of negligent or intentional behaviour; actions taken ‘in spite of advice from the [DPO]’ may be considered ‘intentional’ 248 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 249 Review question 1. Who does the GDPR task with promoting, monitoring and enforcing the GDPR? A. Controllers B. Processors C. Supervisory authorities D. The European Data Protection Supervisor Module 11: Supervision and enforcement Review question NOTE: Review questions are intended to help reinforce key topics covered in the module. They are not meant to represent actual certification exam questions. 1. Who does the GDPR task with promoting, monitoring and enforcing the GDPR? A. Controllers B. Processors C. Supervisory authorities D. The European Data Protection Supervisor 249 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 250 Review question 2. How many active participants will the European Data Protection Board have? A. 30 B. 27 C. 21 D. 38 Module 11: Supervision and enforcement Review question 2. How many active participants will the European Data Protection Board have? A. 30 B. 27 C. 21 D. 38 250 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 251 Review question 3. Which mechanism facilitates the provision of relevant information between supervisory authorities? A. Cooperation B. Mutual assistance C. Consistency mechanism D. Urgency procedure Module 11: Supervision and enforcement Review question 3. Which mechanism facilitates the provision of relevant information between supervisory authorities? A. Cooperation B. Mutual assistance C. Consistency mechanism D. Urgency procedure 251 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 252 Review question 4. Which mechanism facilitates a specific collaborative process between supervisory authorities, the Commission and the European Data Protection Board for adopting certain measures and ensuring consistent GDPR application? A. Cooperation B. Joint operations C. Consistency mechanism D. Dispute resolution Module 11: Supervision and enforcement Review question 4. Which mechanism facilitates a specific collaborative process between supervisory authorities, the Commission and the European Data Protection Board for adopting certain measures and ensuring consistent GDPR application? A. Cooperation B. Joint operations C. Consistency mechanism D. Dispute resolution 252 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 253 Questions? 253 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. European Data Protection 254 Thank you! 254 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. Appendix ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. EUROPEAN DATA PROTECTION: REVIEW QUESTIONS ANSWER KEY MODULE 1 1. Which of the following data protection milestones is a treaty amongst member states of the Council of Europe? • Convention 108+ 2. Which of the following data protection milestones applies to public electronic communications services and networks? • ePrivacy Directive 3. The European Convention on Human Rights is a product of which institution? • The Council of Europe 4. Which role best describes the European Parliament? • Is engaged in legislative development MODULE 2 1. What is the function of the four-step test? • Determine if data qualifies as personal data 2. Which criteria are used to identify personal data? Select all that apply. • ‘any information’ • ‘relating to’ • ‘an identified or identifiable’ • ‘natural person 3. Select the types of personal data elements that belong to special categories under the GDPR. • Personal data revealing political opinions • Personal data revealing religious or philosophical beliefs • Genetic data used to uniquely identify a natural person 4. True or false: Anonymising personal data is always possible. • False 5. True or false: Pseudonymous data is protected by the GDPR. • True 6. Is the collection and use of device dynamic IP addresses to allow data on a website to be transferred to the correct recipient considered personal data? Why or why not? • In Patrick Breyer v Bundesrepublik Deutschland, the CJEU ruled that dynamic IP addresses were capable of constituting personal data. A person could be indirectly identified if the IP addresses were combined with data help by ISPs. ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. MODULE 3 1. True or false: A data controller may be a natural person or a legal entity, while a data processor must be a legal entity. • False 2. True or false: A contract protects a processor from being held to the same legal obligations as the controller. • False 3. True or false: A processor may decide where and how to process personal data. • False 4. What actions can a controller take to manage vendor risk? • Choose reliable processors • Maintain quality control and compliance throughout the duration of the arrangements • Frame the relationship in a contract (or other legally binding act) MODULE 4 1. What is data processing? • Any action performed upon data 2. What are the criteria used to determine the territorial scope of the GDPR? Select all that apply. • Where the data is processed in the context of the activities of a establishment of a controller or processor in the EU • Intentional processing of personal data of data subjects in the EU relating to offering goods or services or intentional monitoring of behaviour in the EU • Processing of personal data by a controller not established in the EU but in a place where member state law applies 3. True or false: Exclusions to the material scope of the GDPR should be interpreted broadly. • False 4. Which exception to the prohibition on processing special categories of data must be explicit? • Consent MODULE 5 1. Which of the following data subjects’ rights provides data subjects with entitlements to certain information, obtainable from the controller upon request? • Right of access 2. The right of access grants data subjects access to which of the following types of information? Select all that apply. • The purpose of the processing • Retention periods • Recipients of the personal data ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. 3. Which is not listed by the GDPR as a method for restricting processing of personal data? • Disabling the data management system 4. Under which categories may a data subject object to processing personal data? Select all that apply. • Direct marketing • Public interest or legitimate interest • Research or statistical purposes 5. What is profiling? • A form of automated decision-making MODULE 6 1. True or false: A controller may charge an administrative fee to data subjects if they request that the information provision be in an oral format. • False 2. True or false: The transparency principle states that detail is more important than conciseness in a privacy notice. • False 3. What additional information must be provided to data subjects when the controller’s necessity is being used as the legal basis for processing? • Controller’s legitimate interest 4. What information must be provided to data subjects when the personal data that will be processed was collected indirectly? • Source of the data 5. What information must be provided to data subjects when their personal data will be shared with an outside organisation to provide them with a promised service? • Recipients of the data 6. What information must be provided to data subjects in all circumstances? Select all that apply. • Purpose of processing • Data subjects’ rights • Identity of the controller 7. True or false: Information provision is required, even if it necessitates disproportionate effort. • False ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. MODULE 7 1. Arrange the options for international data transfers in the order that they should be considered. • Adequacy decisions • Appropriate safeguards • Derogations 2. Which of the following options for international data transfers is a determination by the European Commission that a third country has achieved an EU-level of personal data protection? • Adequacy decision 3. Which of the following countries have been deemed adequate by the European Commission? Select all that apply. • Argentina • New Zealand • Switzerland • Uruguay 4. Which of the following are appropriate safeguards for international data transfers? Select all that apply. • Binding corporate rules • Standard contractual clauses • Approved codes of conduct or certification mechanisms 5. Which appropriate safeguards allow large multinational companies to adopt a policy suite with rules for handling personal data? • Binding corporate rules 6. True or false: Criteria for derogations are strict and should be interpreted narrowly. • True MODULE 8 1. Which types of laws should be considered when processing employees’ personal data? Select all that apply. • Local employment law • EU data protection law • Member state data protection law 2. Under the GDPR, which legal basis for processing personal data would be difficult to use for processing employee data? • Consent ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. 3. True or false: Some employers may be required to consult with works councils and/or trade unions to process employees’ personal data. • True 4. True or false: Some employers may be required to consult with works councils and/or trade unions to process employees’ personal data. • True 5. True or false: BYOD policies are designed to protect employees’ personal data only. • False 6. The ePrivacy Directive governs the processing of which types of data? Select all that apply. • Location data • Content data • Traffic data 7. True or false: The ePrivacy Directive governs the processing of data through both private and public carriers and communications networks. • False 8. True or false: Under the GDPR, individuals have the absolute right to object to any form of direct marketing at any time. • True 9. Which forms of marketing are subject to the ePrivacy Directive? Select all that apply. • Telephone marketing • Electronic mail marketing 10. Which of the following parties involved in online behavioural advertising may qualify as a data controller? Select all that apply. • An ad network • A website publisher • An advertiser MODULE 9 1. CIAR stands for _____. • Confidentiality, integrity, availability, resilience 2. True or false: A processor is responsible for implementing appropriate technical and organisational measures to keep personal data secure. • True 3. A controller must notify the SA of a personal data breach if _____. • The breach is likely to result in a risk for the rights and freedoms of natural persons. ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. MODULE 10 1. True or false: Both controllers and processors have accountability obligations under the GDPR. • True 2. True or false: Data protection by design begins before processing and incorporates data protection considerations into the planning phase. • True 3. What are the main values of a data protection impact assessment (DPIA)? Select all that apply. • Incorporating data protection considerations into organisational planning • Demonstrating compliance to supervisory authorities 4. True or false: The GDPR requires controllers to always contact the SA following a DPIA and before processing personal data. • False 5. True or false: The GDPR requires a data protection policy to be used ‘where proportionate in relation to processing activities’. • True 6. Which of the following must be included in controllers’ personal data processing records but not in processors’ records? • Purposes of processing 7. True or false: The data protection officer must be an expert in data protection law and practices. • True 8. Which of the following are circumstances that require an organisation to appoint a DPO? Select all that apply. • The controller is a public authority. • The core activities of the controller or processor include regular and systematic monitoring of data subjects on a large scale. • The core activities of the controller or processor consist of large-scale processing of special categories of data. MODULE 11 1. Who does the GDPR task with promoting, monitoring and enforcing the GDPR? • Supervisory authorities 2. How many active participants will the European Data Protection Board have? • 27 3. Which mechanism facilitates the provision of relevant information between supervisory authorities? • Mutual assistance ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. 4. Which mechanism facilitates a specific collaborative process between supervisory authorities, the Commission and the European Data Protection Board for adopting certain measures and ensuring consistent GDPR application? • Consistency mechanism ©2022, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication. EUROPEAN DATA PROTECTION RESOURCES Many resources linked from this training are available to IAPP members only. Reviewing the supplemental, linked content provides the user with additional depth and detail but is not required for completing the course. To learn more about IAPP membership, click here. PRIMARY RESOURCES “2018 Reform of Data Protection Rules.” European Commission Website. European Data Protection Board. “GDPR: Guidelines, Recommendations, Best Practices.” https://edpb.europa.eu/our-work-tools/general-guidance/gdpr-guidelines-recommendations-bestpractices_en European Data Protection: Law and Practice, edited by Eduardo Ustaran. Portsmouth, NH: IAPP, 2019. General Data Protection Regulation (full text) Glossary of Privacy Terms: https://iapp.org/resources/glossary/ ADDITIONAL RESOURCES Module 1 “EU institutions: Flow of Power.” BBC News. http://news.bbc.co.uk/hi/english/static/in_depth/europe/2001/inside_europe/eu_institutions/flo w_chart.stm. European Commission: Data protection: https://ec.europa.eu/info/law/law-topic/data-protection_en GDPR full text: http://eur-lex.europa.eu/eli/reg/2016/679/oj. IAPP tool “GDPR Genius”: https://iapp.org/resources/tools/eu-gdpr-genius/ IAPP. “UK, EU Reach Interim Data Flow Agreement.” January 4, 2021. https://iapp.org/news/a/uk-eureach-interim-data-flow-agreement/ “Opinion 5/2019 on the Interplay Between the ePrivacy Directive and the GDPR …” European Data Protection Board. Adopted March 12, 2019. https://edpb.europa.eu/sites/edpb/files/files/file1/201905_edpb_opinion_eprivacydir_gdpr_inter play_en_0.pdf. Module 3 “Guidelines 07/2020 on the concepts of controller and processor in the GDPR” European Data Protection Board. Adopted July 07, 2021. https://edpb.europa.eu/system/files/2021- 07/eppb_guidelines_202007_controllerprocessor_final_en.pdf IAPP. “Top 10 Operational Responses to the GDPR — Part 9: Vetting and Contracting with Processors.” March 14, 2018. https://iapp.org/news/a/top-10-operational-responses-to-the-gdpr-part-9-vettingand-contracting-with-processors. Module 4 ©2022, International Association of Privacy Professionals, Inc. (IAPP). “Guidelines 3/2018 on the Territorial Scope of the GDPR (Article 3) - Version for Public Consultation.” European Data Protection Board. Adopted November 16, 2018. https://edpb.europa.eu/our-worktools/our-documents/guidelines/guidelines-32018-territorial-scope-gdpr-article-3-version_en. “Guidelines 5/2015 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR,” Adopted November 18, 2021 https://edpb.europa.eu/system/files/202111/edpb_guidelinesinterplaychapterv_article3_adopted_en.pdf “Guidelines 05/2020 on consent under Regulation 2016/679”. Adopted 4 May 2020 https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf IAPP. “Dutch DPA hits tennis association with 525K euro GDPR fine.” Daily Dashboard. March 4, 2020. https://iapp.org/news/a/dutch-dpa-hits-tennis-association-with-520k-euro-gdpr-fine/. IAPP. “Top 10 Operational Responses to the GDPR — Part 2: Lawful Bases for Processing.” February 7, 2018. https://iapp.org/news/a/top-10-operational-responses-to-the-gdpr-part-2-lawful-bases-forprocessing. Module 5 “Guidelines on Automated Individual Decision-making and Profiling.” Article 29 Data Protection Working Party. Adopted February 6, 2018. http://ec.europa.eu/newsroom/article29/itemdetail.cfm?item_id=612053. “Guidelines on the Right to Data Portability.” Article 29 Data Protection Working Party. Adopted April 5, 2017. http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611233 IAPP. “Top 10 Operational Responses to the GDPR — Part 7: Accommodating Data Subjects’ Rights.” March 8, 2018. https://iapp.org/news/a/top-10-operational-responses-to-the-gdpr-part-7accommodating-data-subjects-rights. Module 6 “Guidelines on Transparency.” Article 29 Data Protection Working Party. Adopted April 11, 2018. http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=622227. IAPP. “Poland's DPA Issues its First GDPR fine.” Daily Dashboard. April 1, 2019. https://iapp.org/news/a/polands-dpa-issues-first-gdpr-fine. IAPP. “Top 10 Operational Responses to the GDPR — Part 6: Transparency and Privacy Notices.” February 28, 2018. https://iapp.org/news/a/top-10-operational-responses-to-the-gdpr-part-6transparency-and-privacy-notices. Module 7 “Guidelines 1/2018 on Certification and Identifying Certification Criteria …” European Data Protection Board. Adopted June 4, 2019. https://edpb.europa.eu/our-work-tools/ourdocuments/guidelines/guidelines-12018-certification-and-identifying-certification_en.. “Guidelines 2/2018 on Derogations of Article 49 under Regulation 2016/679.” European Data Protection Board. Adopted May 25, 2018. https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_2_2018_derogations_en.pdf. ©2022, International Association of Privacy Professionals, Inc. (IAPP). “Guidelines 04/2021 on Codes of Conduct as tools for transfers,” European Data Protection Board. Adopted February 22, 2022 https://edpb.europa.eu/system/files/202203/edpb_guidelines_codes_conduct_transfers_after_public_consultation_en_1.pdf European Commission. “Standard contractual clauses for international transfers.” https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-dataprotection/standard-contractual-clauses-scc/standard-contractual-clauses-internationaltransfers_en. European Data Protection Board. “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.” https://edpb.europa.eu/our-work-tools/our-documents/recommendations/recommendations012020-measures-supplement-transfer_en European Data Protection Board. “The CNDP adopts the certification mechanism GDPR-CARPA.” June 27, 2022 https://edpb.europa.eu/news/national-news/2022/cnpd-adopts-certification-mechanismgdpr-carpa_en IAPP. “UK, EU Reach Interim Data Flow Agreement.” January 4, 2021. https://iapp.org/news/a/uk-eureach-interim-data-flow-agreement/ Jen Kirby, “The new Brexit deadline will be January 31,” Vox, updated October 28, 2019. https://www.vox.com/world/2019/10/28/20936119/brexit-news-january-31-extensioneuropean-union-uk. Tielemans, Jetty. “Updated Brexit Privacy Checklist.” IAPP Resource Center. January 2021. https://iapp.org/media/pdf/resource_center/brexit_privacy_checklist.pdf. IAPP. “A breakdown of EDPB’s recommendations for data transfers post-‘Schrems II’.” November 11, 2020. https://iapp.org/news/a/a-break-down-of-edpbs-recommendations-for-data-transfers-postschrems-ii/ “Working Document on Binding Corporate Rules for Controllers” https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=614109 “Working Document on Binding Corporate Rules for Processors” https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=614110 Module 8 European Commission: Strategy for Artificial Intelligence: https://digitalstrategy.ec.europa.eu/en/policies/strategy-artificial-intelligence European Commission: High-level expert group on artificial intelligence : https://iapp.org/media/pdf/resource_center/AIEthicsGuidelinespdf.pdf “Guidelines 8/2020 on the targeting of social media users,” European Data Protection Board. Adopted April 13, 2021 https://edpb.europa.eu/system/files/202104/edpb_guidelines_082020_on_the_targeting_of_social_media_users_en.pdf ©2022, International Association of Privacy Professionals, Inc. (IAPP). “Guidelines 10/2020 Restrictions under Article 23 GDPR,” European Data Protection Board. Adopted October 13, 2021 https://edpb.europa.eu/system/files/202110/edpb_guidelines202010_on_art23_adopted_after_consultation_en.pdf “Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR,” European Data Protection Board. Adopted 7 July 2020 https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201905_rtbfsearchengines _afterpublicconsultation_en.pdf Module 9 “Guidelines on Personal Data Breach Notification.” Article 29 Data Protection Working Party. Adopted February 6, 2018. http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612052. IAPP. “German state DPA issues country's first GDPR fine.” Daily Dashboard. November 26, 2018. https://iapp.org/news/a/german-state-dpa-issues-countrys-first-gdpr-fine. IAPP. “CNIL Issues 400K Euro Fine for GDPR Violations.” Daily Dashboard. June 6, 2019. https://iapp.org/news/a/cnil-issues-400k-euro-fine-for-gdpr-violations. “Guidelines 3/2019 on processing of personal data through video devices,” European Data Protection Board. Adopted 29 January 2020 https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201903_video_devices_en_ 0.pdf Module 10 “Guidelines on Data Protection Impact Assessment (DPIA) ...” Article 29 Data Protection Working Party. Adopted April 4, 2017. http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611236. “Guidelines on Data Protection Officers (‘DPOs’).” Article 29 Data Protection Working Party. Adopted April 5, 2017. http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612048. IAPP. “Top 10 Operational Responses to the GDPR — Part 3: Build and Maintain a Data Governance System.” February 14, 2017. https://iapp.org/news/a/top-10-operational-responses-to-the-gdprpart-3-build-and-maintain-a-data-governance-system. IAPP. “Top 10 Operational Responses to the GDPR — Part 4: Data Protection Impact Assessments and Data Protection by Default and by Design.” February 20, 2018. https://iapp.org/news/a/top-10operational-responses-to-the-gdpr-part-4-data-protection-impact-assessments-and-data-protectionby-default-and-by-design. IAPP. “Top 10 Operational Responses to the GDPR — Part 5: Preparing and Implementing Dataretention and Record-keeping Policies and Systems.” February 26, 2018. https://iapp.org/news/a/top-10-operational-responses-to-the-gdpr-part-5-preparing-andimplementing-data-retention-and-record-keeping-policies-and-systems/. Piotr Foitzik, “Privacy by Default in Online Services.” The Privacy Advisor. IAPP. May 23, 2017. https://iapp.org/news/a/privacy-by-default-in-online-services. Module 11 Article 58 GDPR https://gdpr-info.eu/art-58-gdpr/ ©2022, International Association of Privacy Professionals, Inc. (IAPP). “Guidelines for Identifying a Controller or Processor’s Lead Supervisory Authority.” Article 29 Data Protection Working Party. Adopted April 5, 2017. http://ec.europa.eu/newsroom/article29/itemdetail.cfm?item_id=611235. “Guidelines, Recommendations, Best Practices”. https://edpb.europa.eu/our-work-tools/generalguidance/gdpr-guidelines-recommendations-best-practices_en. “Guidelines on the Application and Setting of Administrative Fines.” Article 29 Data Protection Working Party. Adopted October 3, 2017. https://ec.europa.eu/newsroom/article29/itemdetail.cfm?item_id=611237. IAPP. “CNIL Levies $57M Fine on Google for GDPR Violations.” Daily Dashboard. January 22, 2019. https://iapp.org/news/a/cnil-levies-57m-fine-on-google-for-gdpr-violations. IAPP. “Top 10 Operational Responses to the GDPR — Part 10: Communicating with Supervisory Authorities.” March 15, 2018. https://iapp.org/news/a/top-10-operational-responses-to-the-gdprpart-10-communicating-with-supervisory-authorities. EUROPEAN DATA PROTECTION: BODY OF KNOWLEDGE MAPPING BODY OF KNOWLEDGE TOPIC MODULE # I. Introduction to European Data Protection A. Origins and Historical Context of Data Protection Law 1. Rationale for data protection Module 1 2. Human rights laws Module 1 3. Early laws and regulations Module 1 a. OECD Guidelines and the Council of Europe Module 1 b. Convention 108 Module 1 4. The need for a harmonised European approach Module 1 5. The Treaty of Lisbon Module 1 6. A modernised framework Module 1 B. European Union Institutions 1. European Court of Human Rights Module 1 2. European Parliament Module 1 3. European Commission Module 1 ©2022, International Association of Privacy Professionals, Inc. (IAPP). 4. European Council Module 1 5. European Court of Justice of the European Union Module 1 C. Legislative Framework 1. The Council of Europe Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data of 1981 (The CoE Convention) Module 1 2. The EU Data Protection Directive (95/46/EC) Module 1 3. The EU Directive on Privacy and Electronic Communications (2002/58/EC) – (ePrivacy Directive) - as amended Module 1, Module 8 4. The EU Directive on Electronic Commerce (2000/31/EC) Module 1 5. European data retention regimes Module 1 6. The General Data Protection Regulation (GDPR) (EU) 2016/679 and related legislation All modules II. European Data Protection Law and Regulation A. Data Protection Concepts 1. Personal data Module 2 2. Sensitive personal data Module 2 3. Pseudonymous and anonymous data Module 2 4. Processing Module 4 5. Controller Module 3 6. Processor Module 3 a. Guidelines 07/2020 on the concepts of controller and processor in the GDPR 7. Data subject Module 3 Module 3 B. Territorial and Material Scope of the General Data Protection Regulation 1. Establishment in the EU Module 4 2. Non-establishment in the EU Module 4 a. Guidelines 3/2018 on the territorial scope of the GDPR Module 4 C. Data Processing Principles 1. Fairness and lawfulness Module 4 2. Purpose limitation Module 4 ©2022, International Association of Privacy Professionals, Inc. (IAPP). 3. Proportionality Module 4 4. Accuracy Module 4 5. Storage limitation (retention) Module 4 6. Integrity and confidentiality Module 4 D. Lawful Processing Criteria 1. Consent Module 4 2. Contractual necessity Module 4 3. Legal obligation, vital interests and public interest Module 4 4. Legitimate interests Module 4 5. Special categories of processing Module 4 E. Information Provision Obligations 1. Transparency principle Module 6 2. Privacy notices Module 6 3. Layered notices Module 6 F. Data Subjects’ Rights 1. Access Module 5 2. Rectification Module 5 3. Erasure and the right to be forgotten (RTBF) Module 5 a. Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR Module 8 4. Restriction and objection Module 5 5. Consent, including right of withdrawal Module 5 6. Automated decision making, including profiling Module 5 7. Data portability Module 5 8. Restrictions Module 5 a. Guideline 10/2020 on restrictions under Article 23 GDPR G. Security of Personal Data ©2022, International Association of Privacy Professionals, Inc. (IAPP). Module 8 1. Appropriate technical and organisational measures a. Protection mechanisms (encryption, access controls, etc.) 2. Breach notification a. Risk reporting requirements Module 9 Module 9 Module 9 Module 9 3. Vendor management Module 3 4. Data sharing Module 3 H. Accountability Requirements 1. Responsibility of the controllers and processors a. Joint controllers Module 3, Module 10 Module 3 2. Data protection by design and by default Module 10 3. Documentation and cooperation with regulators Module 10 4. Data protection impact assessment (DPIA) Module 10 a. Established criteria for conducting Module 10 5. Mandatory data protection officers Module 10 6. Auditing of privacy programs Module 10 I. International Data Transfers 1. Rationale for prohibition a. Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR Module 7 Module 4 2. Adequate jurisdictions Module 7 3. Safe Harbor and Privacy Shield Module 7 4. Standard Contractual Clauses Module 7 5. Binding Corporate Rules (BCRs) Module 7 6. Codes of Conduct and Certifications Module 7 a. Guidelines 04/2021 on codes of conduct as tools for transfers 7. Derogations a. Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Module 7 Module 7 Module 7 8. Transfer impact assessments (TIAs) a. Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data Module 7 Module 7 J. Supervision and enforcement 1. Supervisory authorities and their powers Module 11 2. The European Data Protection Board Module 11 3. Role of the European Data Protection Supervisor (EDPS) Module 11 K. Consequences for GDPR violations 1. Process and procedures Module 11 2. Infringements and fines Module 11 3. Class actions Module 11 4. Data subject compensation Module 11 III. Compliance with European Data Protection Law and Regulation A. Employment Relationship 1. Legal basis for processing of employee data Module 8 2. Storage of personnel records Module 8 3. Workplace monitoring and data loss prevention Module 8 4. EU Works councils Module 8 5. Whistleblowing systems Module 8 6. ‘Bring your own device’ (BYOD) programs Module 8 B. Surveillance Activities 1. Surveillance by public authorities Module 8 2. Interception of communications Module 8 3. Closed-circuit television (CCTV) Module 8 a. Guidelines 3/2019 on processing of personal data through video devices Module 9 4. Geolocation Module 8 5. Biometrics/facial recognition Module 8 ©2022, International Association of Privacy Professionals, Inc. (IAPP). C. Direct Marketing 1. Telemarketing Module 8 2. Direct marketing Module 8 3. Online behavioural targeting Module 8 a. Guidelines 8/2020 on the targeting of social media users Module 8 D. Internet Technology and Communications 1. Cloud computing Module 8 2. Web cookies Module 8 3. Search engine marketing (SEM) Module 8 4. Social networking services Module 8 5. Artificial Intelligence (AI) Module 8 a. machine learning Module 8 b. ethical issues Module 8 ©2022, International Association of Privacy Professionals, Inc. (IAPP). Ready to get certified? Leave the stress and pass the test Providing you with respected credentials requires a rigorous certification process that includes demanding exams. IAPP exams have a reputation for being difficult to pass on the first try. We strongly recommend careful preparation, even for degreed professionals who have passed other certification tests. Preparation makes all the difference. In general, we recommend that you train and study for a minimum of 30 hours. We want you to succeed. Please take advantage of this advice and IAPP resources to get through exams with as little anxiety as possible. Tips for effective studying Completing a training course does not guarantee passing an exam. Additional preparation is essential, so: • Self-assess—The IAPP offers two resources for determining how ready you are for the exam: 1. The body of knowledge is an outline of the information covered in the exam. Use it to identify topics you are and are not familiar with. 2. The exam blueprint tells you how many questions to expect on each topic. Use it to map out a study strategy—allowing more time for topics with many questions, for example. You can find links to the exam blueprints and bodies of knowledge at iapp.org/certify/get-certified/. • Use your textbook properly—Textbooks are included with purchase of in-person and online training, and are also sold separately through the IAPP store at iapp.org/store/books/. Start by reading the table of contents. Note which topics are new to you. That will give you a feel for how much study and review time you need. When you start reading: 1. Highlight important points in each chapter. 2. Copy out key passages; it will help you remember them. 3. Review each chapter to make sure you have captured the key points before moving on. • • • • Create flashcards—As you read your textbook, articles, web pages, etc., copy new terms onto notecards. Write their definitions on the other side. Quiz yourself. Use the IAPP’s glossary of privacy terms to look up unfamiliar terms and make flash cards of them as well. Form a study group—Discussing the material with your coworkers and colleagues is a great way to remember material and understand it more deeply. Learn in context—It is easier and more interesting to learn a subject you are going to use in real life. IAPP publications and resources show how privacy affects our lives and businesses. Get familiar with privacy news and issues by signing up for the IAPP’s Daily Dashboard, Privacy Advisor, and Europe Data Protection Digest. Use questions to find answers—Every training course comes with sample questions to help you review what you have studied and identify weak areas. Re-read notes and chapters on those subjects. Ask your study partners questions. Search for articles that approach the subject from different directions. Find this information, with hyperlinks to the relevant resources mentioned above, on the IAPP website at iapp.org/certify/prepare. Good luck! IAPP Member Benefits At-a-Glance • Daily and weekly e-publications summarizing top privacy news • Discounted rates on education products and programs, including study materials for our globally recognized certification programs, and annual conferences and events • The Privacy Advisor, the IAPP’s monthly members-only newsletter • Professional networking opportunities, including free KnowledgeNet chapter meetings to keep you connected in your local community • Privacy salary surveys that benchmark compensation trends, roles and functions among privacy departments • Privacy job postings • Access to members-only tools, research, articles and more in the IAPP’s online Resource Center • The IAPP Membership Directory, an online tool that allows you to search for and network with other IAPP members • Free web conferences • Access to the Privacy Tracker blog • Cooperative programs with other national and international organizations • Advocacy for the privacy profession News You are busy. We make it easy to stay on top of the headlines. Certify IAPP certification is what employers want. We can help you advance your career and increase your earning potential. Learn 10+ free web conferences give you instant access to the latest and greatest in privacy. Connect It is all about who you know. Targeted online and face-to-face networking opportunities give you access to the people you want to meet. Resources The newly revamped Resource Center is a onestop-shop for practical tools and research to help you tackle your biggest challenges. Credit Hours: Date Attended: Number of Presented to: 13 IAPP President & CEO J. Trevor Hughes For European Data Protection Live Training ATTENDANCE Certificate of Top 10 ways IAPP certification benefits you and your enterprise Advance your career, increase your earning potential, validate your data protection knowledge and make yourself indispensable at work. (This next bit is good to share with your boss.) 1 Earn certifications recognised as the global standard in the field of data protection. 2 Demonstrate your understanding of a principles-based framework and knowledge of information privacy. 3 Join more than 25,000 data protection practitioners valued for their knowledge, dedication and skill. 4 Elevate your leadership profile among your colleagues. 5 Open the door to higher earning potential with top employers hiring and promoting IAPP-certified professionals. 6 Train your functional area teams to prevent data breach incidents and reduce risks. 7 Improve compliance across your workplace and make it more cost-effective. 8 Avoid costly fixes and rework by applying privacy concepts and practices early in product development and engineering efforts. 910 Prepare staff to handle and communicate about potential breaches with customers, partners and regulators. 10 Conveniently deliver on-site training with IAPP’s distinguished faculty. Talk to us. iapp.org/contact ASIA PACIFIC asia@iapp.org ata Protection dD cer Offi Cert ifie TAKE THE NEXT STEP Ask for details on how to train and test for your certification by visiting iapp.org/about/contact/ EMEA europe@iapp.org +32 (0)2 486 41 66 NORTH AMERICA sales@iapp.org +1 603.427.9200

CIPPE ILT PGDigital v5.2

Related documents

Products

Support

CIPPE ILT PGDigital v5.2

Related documents

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib