Professional Documents
Culture Documents
GDPR Overview
GDPR Overview
December 2019
Personal data protection
legislation introduction
The incorporation of obligations for data controllers, These data protection reforms will require
rights for data subjects and implementation of companies to implement a series of legal,
security controls require companies to adapt and
review privacy policies and procedures currently in technical and organizational measures to adapt
place. to them which, in most cases, will mean they will
need to perform an in-depth analysis of data
protection procedures and possibly modify their
business models for that purpose.
01 02
133 / 2011 New law
Up to EUR 100,000 or up to 2% of the total
EUR 750
Very serious infringements worldwide annual turnover
Penalties for non-compliance with, for example, the articles in
Provides a maxim of 300 contraventional relation to:
units (1 contraventional unit = 50 MDL) The basic principles for processing, including conditions for
= approx. 750 EUR (these sanctions are consent
not considered effective, proportionate
The data subjects' rights
and dissuasive as compared with the
GDPR) Transfers of personal data to a recipient in a third country or an
international organization
Any other obligations (i.e. not included in the personal data
protection law) pursuant to Moldavian law
Orders by the supervisory authority
Special categories
Personal Data of Personal Data
Health
Ethnic data
origins Genetic
Special data
data
Pseudonimize categories of
d data Personal Data
Criminal
record
Political Sexual
Encrypted options orientation
data
Union
members
Religious
hip
and
philosophical Biometric
beliefs data
Anonymous
data
Aggregated
data
Company’
s data
Name Race
Sub-bullet
Dash
Bullet
Sub-bullet
Dash
Bullet
Physical Genetic Political
Address
Traits Data Leanings
Normal Sensitive
Contact Trade
Hobbies Health
Details Union
Data
Member
Location Sexual
Data History
Processing: any operation performed upon personal data (collecting, recording, organization,
use, disclosure by transmission, alignment or combination, erasure or destruction)
Retention &
Collection Storage Use Transfer
Disposal
• Employees
Data security
Governance
Principles
Data
Consent
transfers
Special
DPO
categories
PDPL
Data
DPIA subjects’
rights
Privacy by
Data
design &
breach
default
Data
Processors
security
RPA
(a) (d)
the data subject has given consent processing is necessary in order to
to the processing of his or her protect the vital interests of the
personal data for one or more data subject or of another natural
specific purposes; person;
(b) (e)
processing is necessary for the processing is necessary for the
performance of a contract to performance of a task carried out in
which the data subject is party or in the public interest or in the
order to take steps at the request exercise of official authority
of the data subject prior to entering vested in the controller;
into a contract;
(c) (f)
processing is necessary for processing is necessary for the
compliance with a legal obligation purposes of the legitimate interests
to which the controller is subject; pursued by the controller or by a third
party, except where such interests are
overridden by the interests or
fundamental rights and freedoms of
the data subject which require
protection of personal data, in
particular where the data subject is a
child.
storage
purpose
limitation
limitation
integrity and
confidentiality
data
minimization
Right of access
Right to data
portability
Right to
rectification
Right to object
Right to erasure
Right not to be
subject to an
automated decision
© 2019. For information, contact Deloitte Romania Data protection 19
Records of Processing
Activities
Is not occasional
The categories of recipients to whom the personal data
have been or will be disclosed including recipients in third
countries or international organizations
Includes special categories of
The transfers of personal data to a third country or an
data and data relating to criminal international organization, including the documentation of
convictions and offences suitable safeguards
Integrity
Confidentiality
Availability
Encryption
Resilience
Pseudonimization
# Measure # Measure
5 Protection of storage devices – inventory of Enabling audit logs and store them for 5
12
assets, encryption, remote wipe years
7 Intrusion prevention and detection tools Internal controls / internal audit for security
14
– on an annual basis
Confidentiality
breach
• Risk to the rights and freedoms of natural • High risk to the rights and freedoms of
persons natural persons
Notification Communication
• Describe the nature of the personal data • Describe the nature of the personal data
breach, categories and approximate number breach
of data subjects and records
• Name and contact details of the DPO
• Name and contact details of the DPO
• Describe likely consequences of breach
• Describe likely consequences of breach
• Describe measures taken to address the
• Describe measures taken to address the breach and mitigate adverse effects
breach and mitigate adverse effects
• Communicate to the affected data subjects
• No notification: if personal data are already directly
publicly available (no confidentiality breach)
and no availability breach −If disproportionate effort – public
communication
2000
2000
1500
1000
626
500 398 380
33 100
0 0
0
Număr notificări
Romania Bulgaria Czech Slovakia
Lithuania Poland Hungary Croatia
Copy of data
Technical issues with Data loss: document
information systems destruction due to
disasters
Physical documents loss
Data alteration / by employees
modification