Successfully reported this slideshow.
Your SlideShare is downloading. ×

2018 02 20 GDPR SEMINAR - Gemeente Sint-Martens-Latem

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Loading in …3
×

Check these out next

1 of 39 Ad

2018 02 20 GDPR SEMINAR - Gemeente Sint-Martens-Latem

Download to read offline

• In mei 2018 wordt de nieuwe Europese privacywetgeving van kracht. De Algemene Verordening Gegevensbescherming is een geheel van regels om de gegevens van Europese burgers beter te beschermen. Deze regelgeving is ook van toepassing op verenigingen. We verwelkomen Karel Holst van het GDPR-experten kantoor IFORI die ons op een toegankelijke wijze wegwijs zal maken in deze complexe materie. Je mag je verwachten aan praktische tips en advies.
I.s.m. de adviesraden en Katrien Dossche.

• In mei 2018 wordt de nieuwe Europese privacywetgeving van kracht. De Algemene Verordening Gegevensbescherming is een geheel van regels om de gegevens van Europese burgers beter te beschermen. Deze regelgeving is ook van toepassing op verenigingen. We verwelkomen Karel Holst van het GDPR-experten kantoor IFORI die ons op een toegankelijke wijze wegwijs zal maken in deze complexe materie. Je mag je verwachten aan praktische tips en advies.
I.s.m. de adviesraden en Katrien Dossche.

Advertisement
Advertisement

More Related Content

Slideshows for you (19)

Similar to 2018 02 20 GDPR SEMINAR - Gemeente Sint-Martens-Latem (20)

Advertisement

Recently uploaded (20)

2018 02 20 GDPR SEMINAR - Gemeente Sint-Martens-Latem

  1. 1. Dinsdag 20 februari 2018 GDPR INFOSESSIE
  2. 2. Presented by: Karel Holst Legal Counsel – DPO karel.holst@ifori.be Blog: www.gdprexpert.be THE GENERAL DATA PROTECTION REGULATION - GDPR Legal Perspective DE ALGEMENE VERORDENING GEGEVENSBESCHERMING - AVG
  3. 3. 4 I. Data Protection – Overview II. GDPR – Key changes/obligations III.Conclusion – Action plan Contents
  4. 4. Overview I. Data Protection
  5. 5. 6© 2018 IFORI – All rights reserved Fundamental Rights EU Charter of Fundamental Rights, article 8(1): “Everyone has the right to the protection of personal data concerning him or her.” The Universal Declaration of Human Rights, article 12: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”
  6. 6. 7© 2018 IFORI – All rights reserved Why a new overriding Regulation? Directive 95/46/EC sought to harmonize national legislations and ensure free flow of data within the EU But: – Still differences in national implementation and application – Limited cooperation between Data Protection Authorities (‘DPA’) – Many technological & societal changes in the 20 years since Dir. 95/45/EC – Strengthen Data Subject's rights
  7. 7. 8© 2018 IFORI – All rights reserved Personal Data are everywhere! “Any information relating to an identified or identifiable natural person” E.g. Name, location data, IP-address, customer number, … Stricter rules for special categories of Personal Data (general prohibition) ‒ Racial or ethnic origin ‒ Political options ‒ Genetic and biometric data, solely for identification purposes ‒ Health data ‒ … Personal Data
  8. 8. 9© 2018 IFORI – All rights reserved The processing of personal data wholly or partly by automated means AND manual processing if the personal data form part of a filing system or are intended to form part of a filing system Processing: any operation or set of operations which is performed on personal data or on sets of personal data E.g. collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction Scope of Processing
  9. 9. 10© 2018 IFORI – All rights reserved Processing Personal Data e.g. Customer Data ‒ Name ‒ Date of birth ‒ Address ‒ … Controller Determines the purposes and the manner of the processing e.g. IFORI For marketing purposes, through an online registration form Data Subject Processor Separate legal entity processes on behalf of the Controller e.g. Marketer carries out mail marketing
  10. 10. Typical Processors • HR & Payroll management • IT ( ) • Communication
  11. 11. 12© 2018 IFORI – All rights reserved Main objective Ensure the right of an individual to make his own decisions regarding the information that relates to him. Principles of processing: ‒ Fair, lawful and transparent ‒ Purpose limitation ‒ Data minimization ‒ Accuracy ‒ Storage limitation ‒ Integrity and confidentiality + Accountability
  12. 12. Key Obligations/Changes II. GDPR
  13. 13. 14© 2018 IFORI – All rights reserved I. Territorial Scope The GDPR applies when: ‒ Processing in the context of activities of an establishment in the EU ‒ When the data subjects are located in the EU, and the processing is related to: • Offering goods or services • Monitoring of their behavior (in the EU)
  14. 14. 15© 2018 IFORI – All rights reserved II. Lawfulness A valid legal basis to process the data is required: ‒ Consent ‒ Necessary for the performance of a contract ‒ Legitimate interests
  15. 15. 16 – Freely given, specific, informed and unambiguous – It must be given by a statement or a clear affirmative action (thus opt-out NOT possible) – Proof of consent to be provided by Controller – Withdrawable – Obtained separately – Children: when offering information society services, processing is only lawful where the child is at least 16 years old. Younger = consent by holder of parental responsibility Consent
  16. 16. 17 Necessary for the performance of a contract
  17. 17. 18 ― Pursued by the controller ― Balance: interests / fundamental rights and freedoms of the data subject Legitimate interests
  18. 18. 19© 2018 IFORI – All rights reserved III. Rights of the data subject Transparency Access Rectify Erasure (right to be forgotten) Restriction Portability Object Not be subject to automated decision making (profiling)
  19. 19. 20© 2018 IFORI – All rights reserved IV. Controllers and Processors Controllers ‒ Privacy by default & design ‒ Records (Notification) • Not where <250 employees, unless high risk • Including general description of security measures ‒ Data breach notification ‒ Privacy Impact Assessment(PIA)/Prior consultation of DPA ‒ Choose appropriate processors ( ) – Processing Agreements ‒ Data Protection Officer (DPO) ‒ Data security
  20. 20. 21 Data Breach Notification Obligation to document all breaches To Data Protection Authority (DPA) – 72h deadline – Specific information – Documentation To data subject – High risk to rights and freedoms – Clear and plain language – Exceptions
  21. 21. Data Protection Officer (DPO) When? ‒ Public authority or body ‒ Regular and systematic monitoring of data subjects on a large scale ‒ Processing of special categories of data on a large scale Tasks? ‒ Inform and advise on the obligations pursuant the GDPR ‒ Monitor compliance ‒ Advise on draft of PIA ‒ Cooperate with DPA ‒ External contact Who?
  22. 22. Data Security Ensure confidentiality, integrity, availability, resilience By implementing appropriate technical and organizational measures Risk based approach (the state of the art, the costs of implementation, …) – Encryption/Pseudonymisation – Audits – Back-up and redundancy
  23. 23. 24© 2018 IFORI – All rights reserved Processors ‒ Comply with specific obligations • Records • Data Security • PIA/DPO • Breach notification to Controller ‒ Directly liable IV. Controllers and Processors
  24. 24. 25© 2018 IFORI – All rights reserved V. Transfers General prohibition on transfers outside EEA (28+3) – Adequacy Decision • White list • EU-U.S. Privacy Shield – Appropriate Safeguards • Model Clauses (EC/DPA/Ad hoc) • Binding Corporate rules • Codes of conduct/ Certification – Derogations (e.g. explicit consent)
  25. 25. https://www.privacyshield.gov/participant_search EU-U.S. Privacy Shield List
  26. 26. 27© 2018 IFORI – All rights reserved VI. Sanctions Administrative Fines by DPA: effective, proportionate & dissuasive – Up to, the greater of €20.000.000 or 4% of total worldwide annual turnover of an undertaking Private claims by data subjects – DPA – Courts for compensation from Controller or Processor Criminal penalties possible where provided by member states
  27. 27. 28© 2018 IFORI – All rights reserved Advantages of GDPR • Reduction of administrative burdens & costs • More legal certainty • Same rules within EU • Easier to transfer personal data • One-Stop-Shop
  28. 28. Call to action III. Conclusion
  29. 29. 30© 2018 IFORI – All rights reserved 1. DPO(?) - Project team 2. Awareness 3. Register 4. Information Security (IT) 5. Processing Agreements From here: Implement the other GDPR obligations Where to start?
  30. 30. 31 Your contact details For each processing activity: • purposes; • categories of data subjects & personal data; • the categories of recipients; • transfers to a third country + safeguards; • retention period; • description of security measures. Article 30 GDPR Register WHO ProcessingActivity Purposes Categoriesof Subjects Categoriesof PD Specific Sourc e Legal Ground Retention Storage Measures Receivers Outsid e EEA Measures Identificatiegegevens naam, voornaam, leeftijd, docmilie en verblijf Uitvoering AO Onbeperkt Papier/AD MB- tool/Mailb ox Informatieveiligheids beleid AMNB N/A N/A Opleiding envorming CV's, opleidingen, certificering (clarck), vakbekwaamheid Uitvoering AO Onbeperkt Papier/AD MB- tool/Volta (federatie Informatieveiligheids beleid ADMB N/A N/A Interims/Vakantiejobber Identificatiegegevens naam, contract, adres, rijksregisternumm er, Uitvoering AO Onbeperkt Mailbox/ contract papier Informatieveiligheids beleid Interimkantoor N/A N/A Opleiding en vorming/Beroep en betrekking CV Uitvoering AO Onbeperkt Mailbox Informatieveiligheids beleid N/A N/A N/A Identificatiegegevens email/naam Uitvoering AO Onbeperkt mailbox Informatieveiligheids beleid N/A N/A N/A Maaltijdcheques Huidigpersoneel identificatiegegevens naam, rijksregisternumm er Uitvoering AO Onbeperkt Edenred Informatieveiligheids beleid Edenred N/A N/A Werkplanning Huidigpersoneel Organisatie vanhetwerk Verlof Uitvoering AO Onbeperkt ADMB Informatieveiligheids beleid N/A N/A N/A Leveranciersadministratie Leveranciersbeheer Contacten bij leveranciers Identificatiegegevens naam, email, telefoon, adres Uitvoering CT Onbeperkt CRM Informatieveiligheids beleid CloudCRM N/A N/A B2C: webshop identificatiegegevens zie webshop Uitvoering CT Onbeperkt CRM Informatieveiligheids beleid N/A N/A N/A Werknemers identificatiegegevens zie webshop Uitvoering CT Onbeperkt Excel + CRM Informatieveiligheids beleid Microsoft (Onedrive) VS Model Clauses Invoicing identificatiesgegevens user-id Uitvoering CT Onbeperkt EVA Online Informatieveiligheids beleid Boekhouder/Ev aOnline N/A N/A Boekhouding identificatiegevens naam, email, adres Uitvoering CT Onbeperkt EVA Online Informatieveiligheids beleid Boekhouder/Ev aOnline N/A N/A Email marketing Klanten Identificatiegegevens emailadres Toestemming Onbeperkt CRM Informatieveiligheids beleid Mailchimp N/A N/A Telemarketing contactgegevens identificatiegegevens telefoonnummer Legitiem Belang Onbeperkt CRM Informatieveiligheids beleid Yello/Trendstop N/A N/A Bezoekersadministratie Bezoekers Elektronische identificatiegegevens IP-adres Legitiem Belang Onbeperkt Cloud CRM Informatieveiligheids beleid CloudCRM, Google Analytics VS Model Clauses/P rivacy Contactformulier Bezoekers contactgegevens Naam, email, vraag Toestemming Onbeperkt Cloud CRM Informatieveiligheids beleid CloudCRM N/A N/A Camerabewaking Bewaking Bezokers Afbeeldingen Video Toestemming (sticker) 31dagen On premisse server Informatieveiligheids beleid N/A N/A N/A HR Marketing Klantenbeheer Website Records of processing activities Company XYZ TRANSFER Boekhouding WHERE Klantenadministratie WHY WHAT Beheer van personeel (Selectie/verwerving) Sollicitanten Personeeladministratie Huidigpersoneel/Oud personeel/Leercontract Klanten
  31. 31. 32 WHO Processing Activity Purposes Categories of Subjects Categories of PD Specific Sourc e Legal Ground Retention Storage Measures Receivers Outsid e EEA Measures Identificatiegegevens naam, voornaam, leeftijd, docmilie en verblijf Uitvoering AO Onbeperkt Papier/AD MB- tool/Mailb ox Informatieveiligheids beleid AMNB N/A N/A Opleiding en vorming CV's, opleidingen, certificering (clarck), vakbekwaamheid Uitvoering AO Onbeperkt Papier/AD MB- tool/Volta (federatie Informatieveiligheids beleid ADMB N/A N/A Interims/Vakantiejobber Identificatiegegevens naam, contract, adres, rijksregisternumm er, Uitvoering AO Onbeperkt Mailbox/ contract papier Informatieveiligheids beleid Interimkantoor N/A N/A Opleiding en vorming/Beroep en betrekking CV Uitvoering AO Onbeperkt Mailbox Informatieveiligheids beleid N/A N/A N/A Identificatiegegevens email/naam Uitvoering AO Onbeperkt mailbox Informatieveiligheids beleid N/A N/A N/A Maaltijdcheques Huidig personeel identificatiegegevens naam, rijksregisternumm er Uitvoering AO Onbeperkt Edenred Informatieveiligheids beleid Edenred N/A N/A Werkplanning Huidig personeel Organisatie van het werk Verlof Uitvoering AO Onbeperkt ADMB Informatieveiligheids beleid N/A N/A N/A Leveranciersadministratie Leveranciersbeheer Contacten bij leveranciers Identificatiegegevens naam, email, telefoon, adres Uitvoering CT Onbeperkt CRM Informatieveiligheids beleid Cloud CRM N/A N/A B2C: webshop identificatiegegevens zie webshop Uitvoering CT Onbeperkt CRM Informatieveiligheids beleid N/A N/A N/A Werknemers identificatiegegevens zie webshop Uitvoering CT Onbeperkt Excel + CRM Informatieveiligheids beleid Microsoft (Onedrive) VS Model Clauses Invoicing identificatiesgegevens user-id Uitvoering CT Onbeperkt EVA Online Informatieveiligheids beleid Boekhouder/Ev a Online N/A N/A Boekhouding identificatiegevens naam, email, adres Uitvoering CT Onbeperkt EVA Online Informatieveiligheids beleid Boekhouder/Ev a Online N/A N/A Email marketing Klanten Identificatiegegevens emailadres Toestemming Onbeperkt CRM Informatieveiligheids beleid Mailchimp N/A N/A Telemarketing contactgegevens identificatiegegevens telefoonnummer Legitiem Belang Onbeperkt CRM Informatieveiligheids beleid Yello/Trendstop N/A N/A Bezoekersadministratie Bezoekers Elektronische identificatiegegevens IP-adres Legitiem Belang Onbeperkt Cloud CRM Informatieveiligheids beleid Cloud CRM, Google Analytics VS Model Clauses/P rivacy Contactformulier Bezoekers contactgegevens Naam, email, vraag Toestemming Onbeperkt Cloud CRM Informatieveiligheids beleid Cloud CRM N/A N/A Camerabewaking Bewaking Bezokers Afbeeldingen Video Toestemming (sticker) 31 dagen On premisse server Informatieveiligheids beleid N/A N/A N/A HR Marketing Klantenbeheer Website Records of processing activities Company XYZ TRANSFER Boekhouding WHERE Klantenadministratie WHY WHAT Beheer van personeel (Selectie/verwerving) Sollicitanten Personeeladministratie Huidig personeel/Oud personeel/Leercontract Klanten
  32. 32. 33 Useful resources www.privacycommission.be • Action Plan • Register template https://cst.cnpd.lu/portal/ • GDPR self-assessment
  33. 33. 34© 2018 IFORI – All rights reserved Take Action Not everything has changed, just as not everything has been harmonized New obligations but also removal of some administrative burdens and further guidance (New) technologies introduce new compliance risks, but technologies can also be used to mitigate risk and/or ensure compliance Take action now! GDPR applies from 25 May 2018
  34. 34. Victor Braeckmanlaan 107 9040 Gent, Belgium Tel: +32 9 230 36 62 Fax: +32 9 231 63 71 E-mail: info@ifori.be IFORI BVBA RPR: 472.073.759 (Gent) BTW: BE 472.073.759 IBAN: BE14 0689 0654 8283 BIC: GKCCBEBB Thank you Questions? WWW.IFORI.BE WWW.GDPREXPERT.BE Presentation available online: www.gdprexpert.be/gdprblog
  35. 35. Cookies, Network Infrastructure, Employees Related Legal Acts
  36. 36. 37© 2018 IFORI – All rights reserved Directive on privacy and electronic communications - Telecoms Law (Be) – Information – Consent GDPR – Processing of personal data ‒ Controller: You/Third party cookie provider ‒ Processor: Third party cookie provider Cookies
  37. 37. 38© 2018 IFORI – All rights reserved Monitoring: Belgium: CAO nr. 81 & Privacy Act/GDPR Principles: Finality, Proportionality, Transparency – Professional communications(?): Access (?) – Non-professional communications: Individualization Procedure See also recommendations by Privacy Commission Employment
  38. 38. 39© 2018 IFORI – All rights reserved “One-stop-shop” Controllers and Processors answer to a ‘lead supervisory authority’ – Based on their single or main establishment in the EU – For cross-border processing But supervisory authorities may still address infringements – If it relates to an establishment in its MS or; – If it substantially affects data subjects in its MS Consistency through cooperation between DPA’s with EDPB oversight

×