Lecture 3 - Test

Personal Data
Protection and
Management
Elsa MIMOUN
elsamimoun@ieseg.fr
IÉSEG - School of Management, Campus de Paris

LECTURE 3:
The
data protection regime
under the GDPR
Elsa MIMOUN
IÉSEG - School of Management,

Campus de Paris
THE DATA CONTROLLER’S OBLIGATIONS (GDPR)
I. The data subject’s protection

II. The data controller’s obligations
III. The data controller’s liability
1. Personal data shall be:

(a) Processed lawfully, fairly and in a transparent … (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes … (‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary … (‘data minimisation’);
(d) accurate and, where necessary, kept up to date; … (‘accuracy’);
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which
the personal data are processed … (‘storage limitation’);
(f) processed in a manner that ensures appropriate security of the personal data … (‘integrity and confidentiality’).
2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).

I. The data subject’s protection
II. The data controller’s obligations

III. The data controller’s liability
A. The data controller compliance
B. Privacy by design and by default

1. Principles
1.1 Privacy by design
1.2 Privacy by default
2. Obligations
2.1 Limitation
2.2 Security
C. Tools of the compliance and accountability

1. Actors (DPO, UE representative)
2. Processes (for security, DSA, DPIA)
3. Guarantees (codes of conduct, certification)

A. The data controller’s compliance
• The data controller is liable for GDPR compliance

•
Article 24
Responsibility of the controller
1. Taking into account the nature, scope, context and purposes of processing as well as the risks of varying
likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate
technical and organisational measures to ensure and to be able to demonstrate that processing is performed in
accordance with this Regulation.

A. The data controller’s compliance
• What if he uses a data processor ?
• Article 28 GDPR :
« 1. Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to
implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation
and ensure the protection of the rights of the data subject.
2. The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of
general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other
processors, thereby giving the controller the opportunity to object to such changes. »
• Article 29 GDPR :
« The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not
process those data except on instructions from the controller, unless required to do so by Union or Member State law. »
•

1. Principles
2. Obligations
2.1 Exercise of the rights of the data subjects (cf supra)
2.2 Limitation
2.3 Security


1. Principles
! Art. 25.1 GDPR:
1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of
processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the
processing, the controller shall, both at the time of the determination of the means for processing and at the time of
the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which
are designed to implement data-protection principles, such as data-minimisation, in an effective manner and to
integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and
protect the rights of data subjects.

B. Privacy by design and by default Data protection by design

Article 25.1 GDPR
1. Principles
1.1 Privacy by design Concept created by Ann Cavoukian in
the 1990s
From a corporate best practice the

GDPR made it mandatory legal
requirement
There are 7 principles PbD (criticized

for being somewhat vague)
You can read more about the

principles here

1. Principles
! Art. 25.2 GDPR

The controller shall implement appropriate technical and organizational
measures for ensuring that, by default, only personal data which are
necessary for each specific purpose of the processing are processed. That
obligation applies to the amount of personal data collected, the extent of
their processing, the period of their storage and their accessibility. In
particular, such measures shall ensure that by default personal data are
not made accessible without the individual's intervention to an indefinite
number of natural persons.”
Ex: when you download an app on your phone , you are asked for your consent to give access
to your pictures and videos
1. Principles
2. Obligations
2.2 Limitation
! Art. 5 GDPR
Personal data shall be :
(…)
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with
those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or
statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes
(‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data
minimisation’);
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the
personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed
solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance
with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this
Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
1. Principles
2. Obligations
2.1 Limitation
2.3 Security
The CIA Triad is a

principal for
information security
created in the 1980’s

1. Principles
2. Obligations
2.1 Limitation
2.3 Security
• What is a data protection breach?

Art. 4 (12)
‘personal data breach’ means a breach of
security leading to the accidental or unlawful
destruction, loss, alteration, unauthorized
disclosure of, or access to, personal data
transmitted, stored or otherwise processed;

1. Principles
2. Obligations2.1 Limitation
2.3 Security
• What is a data protection breach?
Losing an
Sending an email Accidentally
encrypted USB
to the wrong deleting client’s Power fail
drive with client’s
recipient details
data
Unavailability due A university sends

Denial-of-service
to planned an email to alumni
(DDoS) attack
maintenance in cc instead of bcc

1. Principles
2. Obligations
2.1 Limitation
2.3 Security
• What are the obligations of the data
controller in case of a breach ?
• The obligation of notification

! To the supervisory authority
! To the data subject

1. Principles
2. Obligations
2.1 Limitation
2.3 Security
! To the supervisory authority (Article 33 GDPR)
In the case of a personal data breach, the controller shall notify the personal data
breach to the supervisory authority competent (national authority) unless the
personal data breach is unlikely to result in a risk to the rights and freedoms of
natural persons.
• Timing ?
• Content ?
1. Principles
2. Obligations
2.1 Limitation
2.3 Security
In the case of a personal data breach, the controller shall notify the personal data
breach to the supervisory authority competent (national authority) unless the
personal data breach is unlikely to result in a risk to the rights and freedoms of
natural persons.
• Timing ?
• Content ?
1. Principles
2. Obligations
2.1 Limitation
2.3 Security
• Content ? (Article 33.3)
« The notification referred to in paragraph 1 shall at least:
(a) describe the nature of the personal data breach including where possible, the categories and
approximate number of data subjects concerned and the categories and approximate number of personal
data records concerned;
(b) communicate the name and contact details of the data protection officer or other contact point where
more information can be obtained;
(c) describe the likely consequences of the personal data breach;
(d) describe the measures taken or proposed to be taken by the controller to address the personal data
breach, including, where appropriate, measures to mitigate its possible adverse effects. »
1. Principles
2. Obligations
2.1 Limitation
2.3 Security
! To the data subject (Article 34 GDPR)
• When the personal data breach is likely to result in a high risk to the rights and freedoms of natural
persons, the controller shall communicate the personal data breach to the data subject without undue
delay.
• The communication to the data subject shall describe in clear and plain language the nature of the
personal data breach and contain at least the information and measures required in the notification to the
authority.
• Exception : this notification is not necessary if the data controller has taken prior or subsequent measures
to prevent the high risk to the rights and freedoms of data subjects.
• The communication can be public if it would otherwise involve disproportionate effort.

3. Guarantees (codes of conduct, certification)

1. Actors
1.1 The DPO: the data protection officer
• Is it mandatory to
appoint a DPO?
• What a DPO does,
exactly?

1. Actors
Article 37 (Designation)
1. The controller and the processor shall designate a data protection officer in any case where:
(a) the processing is carried out by a public authority or body, except for courts acting in their
judicial capacity;
(b) the core activities of the controller or the processor consist of processing operations which,
by virtue of their nature, their scope and/or their purposes, require regular and systematic
monitoring of data subjects on a large scale; or
(c) the core activities of the controller or the processor consist of processing on a large scale of
special categories of data pursuant to Article 9 and personal data relating to criminal convictions
and offences referred to in Article 10.

1. Actors
Article 37 (Designation)
“2. A group of undertakings may appoint a single data protection officer provided that a data protection officer is easily
accessible from each establishment.(…)
4. In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies
representing categories of controllers or processors may or, where required by Union or Member State law shall, designate a
data protection officer. The data protection officer may act for such associations and other bodies representing controllers or
processors.
5. The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of
data protection law and practices and the ability to fulfil the tasks referred to in Article 39.
6. The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service
contract.
7. The controller or the processor shall publish the contact details of the data protection officer and communicate them to the
supervisory authority.
1. Actors
Article 38
1. The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which
relate to the protection of personal data.
Article 39
The data protection officer shall have at least the following tasks:
(a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this
Regulation and to other Union or Member State data protection provisions;
(b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the
controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training
of staff involved in processing operations, and the related audits;
(c) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
(d) to cooperate with the supervisory authority;
(e) to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article
36, and to consult, where appropriate, with regard to any other matter. IÉSEG - School of Management, Campus de Paris
1. Actors
1.2 An EU representative ( if not settled in the EU)
Article 27 GDPR :
1. Where Article 3(2) applies, the controller or the processor shall designate in writing a
representative in the Union.
2. The obligation laid down in paragraph 1 of this Article shall not apply to:
a. processing which is occasional (≠ large scale of data, sensitive data, criminal records)
b. a public authority or body.

2. Processes
2.1 For security
Article 32 GDPR:
“Security of processing
1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as
the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the
time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and
organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data-minimisation,
in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation
and protect the rights of data subjects.
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the
security of the processing.
2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in
particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted,
stored or otherwise processed.”
2. Processes
2.2 Records
Art. 30 GDPR
« Each controller and, where applicable, the controller's
representative, shall maintain a record of processing activities
under its responsibility.
The obligations … shall not apply to an enterprise or an

organisation employing fewer than 250 person unless the
processing it carries out is likely to result in a risk to the rights and
freedoms of data subjects, the processing is not occasional, or the
processing includes special categories of data as referred to in
Article 9(1) (sensitive data) or personal data relating to criminal
convictions and offences referred to in Article 10. »

2. Processes The records must be

2.2 Records - in writing, can be
electronic
- available to Supervisory
Authorities upon
request
=> Data controllers must keep a record of all processing activities:
- Name and contact info of controller, joint controller, representative, DPO
- Purpose of the processing
- Description of the catagories of the data subjects/personal data
- Catagories of recipients of the personal data, including international organizations/third countries
- Transfers of personal data to international organizations/third countries
- Time of retention
- General description of technical and organizational security measures

2. Processes
2.2 Records
But …
This obligation do not concern companies of less than 250 employees

unless high risk against rights/freedoms of data subjects, special category
data, regular processing, or criminal convictions


2.3 DPIA
• Data protection impact assessment (Article 35 GDPR)
Scope:
• Mandatory if you believe that processing certain personal data
will involve a high risk to the rights and freedoms of the data subjects
• Look at nature, scope, context, purpose of processing.
Are you using new tech like AI?
- Systemic and extensive evaluations based on automated processing
- Processing large scale special-category data/criminal conviction data
- Systematic monitoring of public areas – CCTV (ICO guidance available)
Exceptions :
- legal obligation necessity
- public interest necessity IÉSEG - School of Management, Campus de Paris

2.3 DPIA
• Data protection impact assessment (Article 35 GDPR)
DPIA Template
https://www.cnil.fr/en/PIA-privacy-impact-assessment-en

DPIA

2.3 DPIA
HARMS MITIGATIONS
Identify any harm or damage your processing • Deciding not to collect certain data
may cause – physical, emotional, or material: • Limiting scope of processing
• Inability to exercise rights • Reducing retention time
• Loss of control over use of personal data • Taking additional security measures
• Discrimination • Training staff to anticipate and mitigate risks
• Identity theft/fraud
• Anonymizing/pseudonymizing data
• Financial loss
• Data sharing agreements
• Reputation damage
• Physical harm • Making appropriate changes to Privacy Notices
• Loss of confidentiality • Offer opt-out
• Reidentification of pseudonymized data • Implement new systems to help data subjects
• Significant social/economic damage exercise their rights

2.3 DPIA
• DIAP & prior consultation (art. 36 GDPR)
• The data controller have to consult its supervisory authority (SA) if after conduction
the DPIA, he comes to the conclusion that the processing still results in high risk for
the rights and freedoms of the data subject even after mitigating the risks
• SA must provide written advice in 8 weeks after receiving consultation request (can be
extended 6 weeks)


2.4 DSA (Data Sharing Agreement )
! Sharing data with third parties
A DSA or Data Sharing Agreement
• sets out the purpose of the data sharing;

• sets standards;
• helps all the parties be clear about their roles;
• covers what happens to the data at each stage.


2.4 DSA (Data Sharing Agreement )
• Who are the parties to the agreement?
• What is the purpose of the data sharing initiative?
• The specific aims
What should • Why data sharing is necessary to achieve those aims
• The benefits you hope to bring to individuals/society more widely
be included in • Will other organizations be involved?
• Will there be another controller?
a DSA? • What data items will be shared?
• What is the lawful basis for sharing?
• Consent, legitimate interest
• Is there sensitive personal data being shared?
• What is the duration of the data being shared?
• What are the access and individual rights?
C. Tools of the compliance and accountability2.or processors
Associations and other bodies representing categories of controllers
may prepare codes of conduct, or amend or extend such
codes, for the purpose of specifying the application of this Regulation,

3. Guarantees such as with regard to:
3.1 Codes of conduct (a) fair and transparent processing;
(b) the legitimate interests pursued by controllers in specific contexts;
(c) the collection of personal data;
Article 40 GDPR: (d) the pseudonymisation of personal data;
(e) the information provided to the public and to data subjects;
(f) the exercise of the rights of data subjects;
1. The Member States, the supervisory (g) the information provided to, and the protection of, children, and the
authorities, the Board and the Commission shall manner in which the consent of the holders of parental responsibility
encourage the drawing up of codes of conduct over children is to be obtained;
intended to contribute to the proper application (h) the measures and procedures referred to in Articles 24 and 25 and
of this Regulation, taking account of the specific the measures to ensure security of processing referred to in Article 32;
(i) the notification of personal data breaches to supervisory authorities
features of the various processing sectors and
and the communication of such personal data breaches to data subjects;
the specific needs of micro, small and medium- (j) the transfer of personal data to third countries or international
sized enterprises. organisations; or
(k) out-of-court proceedings and other dispute resolution procedures for
resolving disputes between controllers and data subjects with regard to
processing, without prejudice to the rights of data subjects pursuant to
Articles 77 and 79
3. Guarantees 3.1 Codes of conduct
3.2 Certification
Article 42 GDPR
1. The Member States, the supervisory authorities, the Board and the Commission shall encourage, in particular at
Union level, the establishment of data protection certification mechanisms and of data protection seals and
marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers
and processors. The specific needs of micro, small and medium-sized enterprises shall be taken into account.

SOS
e.mimoun@ieseg.fr
The present document uses some elements from M.

Marzetti’s and Clare Keonha Shin course of Data protection
for IESEG

Lecture 3 - Test

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lecture 3 - Test

Uploaded by

Copyright:

Available Formats

Personal Data

IÉSEG - School of Management, Campus de Paris

IÉSEG - School of Management,

I. The data subject’s protection

1. Personal data shall be:

IÉSEG - School of Management, Campus de Paris

II. The data controller’s obligations

A. The data controller compliance

B. Privacy by design and by default

C. Tools of the compliance and accountability

IÉSEG - School of Management, Campus de Paris

• The data controller is liable for GDPR compliance

IÉSEG - School of Management, Campus de Paris

• What if he uses a data processor ?

B. Privacy by design and by default

IÉSEG - School of Management, Campus de Paris

B. Privacy by design and by default

! Art. 25.1 GDPR:

IÉSEG - School of Management, Campus de Paris

B. Privacy by design and by default Data protection by design

From a corporate best practice the

There are 7 principles PbD (criticized

You can read more about the

IÉSEG - School of Management, Campus de Paris

1.2 Privacy by default

! Art. 25.2 GDPR

The CIA Triad is a

IÉSEG - School of Management, Campus de Paris

• What is a data protection breach?

IÉSEG - School of Management, Campus de Paris

Unavailability due A university sends

IÉSEG - School of Management, Campus de Paris

• The obligation of notification

IÉSEG - School of Management, Campus de Paris

C. Tools of the compliance and accountability

IÉSEG - School of Management, Campus de Paris

IÉSEG - School of Management, Campus de Paris

IÉSEG - School of Management, Campus de Paris

IÉSEG - School of Management, Campus de Paris

The obligations … shall not apply to an enterprise or an

IÉSEG - School of Management, Campus de Paris

2. Processes The records must be

IÉSEG - School of Management, Campus de Paris

This obligation do not concern companies of less than 250 employees

IÉSEG - School of Management, Campus de Paris

2. Processes (for security, DSA, DPIA)

2. Processes (for security, DSA, DPIA)

• Data protection impact assessment (Article 35 GDPR)

IÉSEG - School of Management, Campus de Paris

2. Processes (for security, DSA, DPIA)

2. Processes (for security, DSA, DPIA)

IÉSEG - School of Management, Campus de Paris

2. Processes (for security, DSA, DPIA)

! Sharing data with third parties

A DSA or Data Sharing Agreement

• sets out the purpose of the data sharing;

IÉSEG - School of Management, Campus de Paris

2. Processes (for security, DSA, DPIA)

codes, for the purpose of specifying the application of this Regulation,

3. Guarantees 3.1 Codes of conduct

IÉSEG - School of Management, Campus de Paris

The present document uses some elements from M.

You might also like