Professional Documents
Culture Documents
Protection and
Management
Elsa MIMOUN
elsamimoun@ieseg.fr
The
data protection regime
under the GDPR
Elsa MIMOUN
Article 24
Responsibility of the controller
1. Taking into account the nature, scope, context and purposes of processing as well as the risks of varying
likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate
technical and organisational measures to ensure and to be able to demonstrate that processing is performed in
accordance with this Regulation.
• Article 28 GDPR :
« 1. Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to
implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation
and ensure the protection of the rights of the data subject.
2. The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of
general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other
processors, thereby giving the controller the opportunity to object to such changes. »
• Article 29 GDPR :
« The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not
process those data except on instructions from the controller, unless required to do so by Union or Member State law. »
•
IÉSEG - School of Management, Campus de Paris
THE DATA CONTROLLER’S OBLIGATIONS (GDPR)
1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of
processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the
processing, the controller shall, both at the time of the determination of the means for processing and at the time of
the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which
are designed to implement data-protection principles, such as data-minimisation, in an effective manner and to
integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and
protect the rights of data subjects.
Ex: when you download an app on your phone , you are asked for your consent to give access
to your pictures and videos
IÉSEG - School of Management, Campus de Paris
THE DATA CONTROLLER’S OBLIGATIONS (GDPR)
B. Privacy by design and by default
1. Principles
1.1 Privacy by design
1.2 Privacy by default
2. Obligations
2.2 Limitation
! Art. 5 GDPR
Personal data shall be :
(…)
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with
those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or
statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes
(‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data
minimisation’);
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the
personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed
solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance
with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this
Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
IÉSEG - School of Management, Campus de Paris
THE DATA CONTROLLER’S OBLIGATIONS (GDPR)
B. Privacy by design and by default
1. Principles
1.1 Privacy by design
1.2 Privacy by default
2. Obligations
2.1 Limitation
2.3 Security
2. Obligations
2.1 Limitation
2.3 Security
2. Obligations2.1 Limitation
2.3 Security
• What is a data protection breach?
Losing an
Sending an email Accidentally
encrypted USB
to the wrong deleting client’s Power fail
drive with client’s
recipient details
data
2. Obligations
2.1 Limitation
2.3 Security
• What are the obligations of the data
controller in case of a breach ?
2. Obligations
2.1 Limitation
2.3 Security
• The obligation of notification
! To the supervisory authority (Article 33 GDPR)
In the case of a personal data breach, the controller shall notify the personal data
breach to the supervisory authority competent (national authority) unless the
personal data breach is unlikely to result in a risk to the rights and freedoms of
natural persons.
• Timing ?
• Content ?
IÉSEG - School of Management, Campus de Paris
THE DATA CONTROLLER’S OBLIGATIONS (GDPR)
B. Privacy by design and by default
1. Principles
1.1 Privacy by design
1.2 Privacy by default
2. Obligations
2.1 Limitation
2.3 Security
• The obligation of notification
! To the supervisory authority (Article 33 GDPR)
In the case of a personal data breach, the controller shall notify the personal data
breach to the supervisory authority competent (national authority) unless the
personal data breach is unlikely to result in a risk to the rights and freedoms of
natural persons.
• Timing ?
• Content ?
IÉSEG - School of Management, Campus de Paris
THE DATA CONTROLLER’S OBLIGATIONS (GDPR)
B. Privacy by design and by default
1. Principles
1.1 Privacy by design
1.2 Privacy by default
2. Obligations
2.1 Limitation
2.3 Security
• The obligation of notification
! To the supervisory authority (Article 33 GDPR)
• Content ? (Article 33.3)
« The notification referred to in paragraph 1 shall at least:
(a) describe the nature of the personal data breach including where possible, the categories and
approximate number of data subjects concerned and the categories and approximate number of personal
data records concerned;
(b) communicate the name and contact details of the data protection officer or other contact point where
more information can be obtained;
(c) describe the likely consequences of the personal data breach;
(d) describe the measures taken or proposed to be taken by the controller to address the personal data
breach, including, where appropriate, measures to mitigate its possible adverse effects. »
IÉSEG - School of Management, Campus de Paris
THE DATA CONTROLLER’S OBLIGATIONS (GDPR)
B. Privacy by design and by default
1. Principles
1.1 Privacy by design
1.2 Privacy by default
2. Obligations
2.1 Limitation
2.3 Security
• The obligation of notification
! To the data subject (Article 34 GDPR)
• When the personal data breach is likely to result in a high risk to the rights and freedoms of natural
persons, the controller shall communicate the personal data breach to the data subject without undue
delay.
• The communication to the data subject shall describe in clear and plain language the nature of the
personal data breach and contain at least the information and measures required in the notification to the
authority.
• Exception : this notification is not necessary if the data controller has taken prior or subsequent measures
to prevent the high risk to the rights and freedoms of data subjects.
• The communication can be public if it would otherwise involve disproportionate effort.
IÉSEG - School of Management, Campus de Paris
THE DATA CONTROLLER’S OBLIGATIONS (GDPR)
• Is it mandatory to
appoint a DPO?
• What a DPO does,
exactly?
Article 37 (Designation)
1. The controller and the processor shall designate a data protection officer in any case where:
(a) the processing is carried out by a public authority or body, except for courts acting in their
judicial capacity;
(b) the core activities of the controller or the processor consist of processing operations which,
by virtue of their nature, their scope and/or their purposes, require regular and systematic
monitoring of data subjects on a large scale; or
(c) the core activities of the controller or the processor consist of processing on a large scale of
special categories of data pursuant to Article 9 and personal data relating to criminal convictions
and offences referred to in Article 10.
“2. A group of undertakings may appoint a single data protection officer provided that a data protection officer is easily
accessible from each establishment.(…)
4. In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies
representing categories of controllers or processors may or, where required by Union or Member State law shall, designate a
data protection officer. The data protection officer may act for such associations and other bodies representing controllers or
processors.
5. The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of
data protection law and practices and the ability to fulfil the tasks referred to in Article 39.
6. The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service
contract.
7. The controller or the processor shall publish the contact details of the data protection officer and communicate them to the
supervisory authority.
IÉSEG - School of Management, Campus de Paris
THE DATA CONTROLLER’S OBLIGATIONS (GDPR)
C. Tools of the compliance and accountability
1. Actors
1.1 The DPO: the data protection officer
Article 38
1. The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which
relate to the protection of personal data.
Article 39
The data protection officer shall have at least the following tasks:
(a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this
Regulation and to other Union or Member State data protection provisions;
(b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the
controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training
of staff involved in processing operations, and the related audits;
(c) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
(d) to cooperate with the supervisory authority;
(e) to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article
36, and to consult, where appropriate, with regard to any other matter. IÉSEG - School of Management, Campus de Paris
THE DATA CONTROLLER’S OBLIGATIONS (GDPR)
C. Tools of the compliance and accountability
1. Actors
1.2 An EU representative ( if not settled in the EU)
Article 27 GDPR :
1. Where Article 3(2) applies, the controller or the processor shall designate in writing a
representative in the Union.
2. The obligation laid down in paragraph 1 of this Article shall not apply to:
a. processing which is occasional (≠ large scale of data, sensitive data, criminal records)
b. a public authority or body.
2. Processes
2.1 For security
Article 32 GDPR:
“Security of processing
1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as
the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the
time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and
organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data-minimisation,
in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation
and protect the rights of data subjects.
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the
security of the processing.
2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in
particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted,
stored or otherwise processed.”
IÉSEG - School of Management, Campus de Paris
THE DATA CONTROLLER’S OBLIGATIONS (GDPR)
C. Tools of the compliance and accountability
1. Actors (DPO, UE representative)
2. Processes
2.2 Records
Art. 30 GDPR
« Each controller and, where applicable, the controller's
representative, shall maintain a record of processing activities
under its responsibility.
2. Processes
2.2 Records
But …
Exceptions :
- legal obligation necessity
- public interest necessity IÉSEG - School of Management, Campus de Paris
THE DATA CONTROLLER’S OBLIGATIONS (GDPR)
C. Tools of the compliance and accountability
1. Actors (DPO, UE representative)
DPIA Template
https://www.cnil.fr/en/PIA-privacy-impact-assessment-en
Identify any harm or damage your processing • Deciding not to collect certain data
may cause – physical, emotional, or material: • Limiting scope of processing
• Inability to exercise rights • Reducing retention time
• Loss of control over use of personal data • Taking additional security measures
• Discrimination • Training staff to anticipate and mitigate risks
• Identity theft/fraud
• Anonymizing/pseudonymizing data
• Financial loss
• Data sharing agreements
• Reputation damage
• Physical harm • Making appropriate changes to Privacy Notices
• Loss of confidentiality • Offer opt-out
• Reidentification of pseudonymized data • Implement new systems to help data subjects
• Significant social/economic damage exercise their rights
IÉSEG - School of Management, Campus de Paris
THE DATA CONTROLLER’S OBLIGATIONS (GDPR)
C. Tools of the compliance and accountability
1. Actors (DPO, UE representative)
• SA must provide written advice in 8 weeks after receiving consultation request (can be
extended 6 weeks)
3.2 Certification
Article 42 GDPR
1. The Member States, the supervisory authorities, the Board and the Commission shall encourage, in particular at
Union level, the establishment of data protection certification mechanisms and of data protection seals and
marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers
and processors. The specific needs of micro, small and medium-sized enterprises shall be taken into account.