The General Data Protection Regulation: Cheat Sheet it apply?
Entities processing personal data (both
Profiling/Automated PUBLIC and PRIVATE) Decision-making Data subject rights Principles What is the GDPR about? Processing personal data in EU/EEA Outside EU/EEA: right not to be subject to a Data subject = natural person Lawfulness, fairness and Protection of individuals personal - offering goods and services in the EU decision based solely on Right to transparent information, transparency data (Fundamental Rights) - tracking behaviour of individuals in the EU automated processing, including communication and modalities to Purpose limitation Free flow of personal data (e.g. tracking users) profiling, which produces legal exercise rights Data minimisation (economic aspect) - (national law of Member State) effects concerning him or her or Right to information relating the Accuracy similarly significantly affects him processing (both where data is Storage limitation Personal Data When does it apply? or her obtained by first and third parties) Integrity and confidentiality Exception: (i) necessary for Right to access Definition: Any information related to an Processing of personal data identified or identifiable natural person performance of contract; (ii) EU/ Right to rectification, erasure and national law derogations + restriction of processing Transfer of Personal Data Processing Identifiable directly or indirectly: safeguards in place; (iii) explicit Right to data portability to Third Countries Name, ID number, online identifier, When wholly or partially consent Right to object Right to explanation of decision- location data, etc. automated OR when filing system Transfer of personal data from the making logic (algorithmic EU to third countries is prohibited Data relating to data subject is used (broad definition) transparency) Combination of non-personal data that Includes almost any action done unless there is one of the following enables identification with personal data (accessing, Data Protection Officer measures in place: saving, changing, using, etc.) Enforcement (DPO) Adequacy decision Sensitive Data: Processing must be lawful, i.e. Binding Corporate Rules (BCRs) Racial or ethnic origin; political opinion; follow a legal basis Supervisory Authorities + Effective Appointment mandatory for: religious or philosophical beliefs; trade Exclusion: Public authority, or Model Contract Clauses judicial remedies in Member union membership; genetic data; - Outside of scope of Union law Core activity of organisation = Large- Explicit Consent States biometric data; health data; sexual - EU CFSP (Derogations) Fines up to €20 million or 4% scale and systematic processing of orientation - Purely personal or household use global annual turnover personal data or sensitive data/ - Prosecution of criminal offences Suspension of processing criminal data Accountability & Controller and Investigative powers of Tasks: Inform and advise organisation and its Compliance Processor Legal basis Supervisory Authorities Collective redress mechanism employees of their data protection obligations under the GDPR Controllers and processors Controller = decides on data processing Closed list of grounds for processing personal Monitor the organisation s Must adhere to the data protection Processor = acts under the instructions data: compliance with the GDPR and principles when processing personal of controller to process data Consent (freely given + specific + informed + internal data protection policies and data Notions are used to identify obligations unambiguous + age of consent) procedures. Includes monitoring the Must inform data subjects on the and liability of entities processing Performance of a contract assignment of responsibilities, processing personal data Legal obligation for the controller awareness training, and training of Must respond to data subject Various different combinations are Vital interest of the data subject staff involved in processing requests + enable data subject rights possible (controller and processor are Public interest operations and related audits. data Must keep record of their processing one entity; controller and processors are Legitimate interest (not for public bodies protection impact assessments + risk-based approach (vs. prior separate entities; joint controllers; sub- carrying out public task) (DPIAs), the manner of their notification to supervisory authority) processors; etc.) best map the data implementation and outcomes. Must conduct data protection impact flow and check which entities have what Serve as contact point to the data assessments (DPIAs) for risky role protection authorities including data processing operations breach reporting. Must have technical and Serve as contact point for individuals organizational measure in place to (data subjects) on privacy matters, secure personal data (NEW: privacy including subject access requests. by design & by default) Data Breach Notification (within 72hrs)