2. Legal disclaimer
This document does not constitute legal advice of any kind and
we take no responsibility on the correctness and completeness
of the information presented. Our goal is to provide a simplified
summary of the GDPR from our own subjective view. We
strongly recommend that you obtain proper legal advice and a
binding interpretation of the regulation for your organisation.
3. Example: Website and Online Shop
User Profile Data
- Personal data
- Payment information
- Newsletter data/preferences
- Order history
Payment provider
Logistics partner
Email marketing tool
Automated decision-making
- Behavioral (clickstream, order
history)
- Profiling (location, interests)
4. Primary goals of the GDPR
Protection of natural persons with regards to
- the processing of personal data
- the free movement of personal data
5. What is personal data?
- Personal data = information relating to a natural person (also
called ‘data subject’)
- Data subjects can be both identified or identifiable
EXAMPLES:
- IP address
- User name
- E-mail address
- Account number
- PIN/Password
- Voice scan
- Credit card number
6. Data controller and data processor
Data Controller
determines the purposes and
means of the processing
Data Processor
processes personal data on
behalf of the controller
EXAMPLE:
- Online shop provider
- Payment provider
- Logistics partner
- Email marketing tool provider
7. Article 5
Principles of personal data processing
- lawfulness, fairness and transparency
- purpose limitation
- data minimisation
- accuracy
- storage limitation
- integrity and confidentiality
- accountability
8. Article 6
Lawfulness of processing
Processing is lawful if at least one of the following applies:
- Consent given by data subject
- Legitimate interest in processing the data
- Necessity for fulfilment of a contract
- There is a legal obligation
- Necessary for vital interests of the data subject
- Necessity for performance of a task in the public interest
9. Article 7
Consent of the data subject
Lawful consent according to the GDRP:
- No pre-checked boxes
- Easy to understand wording
- Specific consent for every purpose
- Is recorded in the system
- Is easy to recall
11. Article 25
Privacy by design and by default
Systems and processes have to be designed to
- implement data protection in an effective manner and
- to integrate the necessary safeguards into the processing
EXAMPLES:
OK Pseudonymization of data for tracking of user behaviour
OK Data minimisation when signing up users for a newsletter
NOT OK Form data submission by email (not using a secure database)
NOT OK Lack of account removal function
12. Article 13
Information and access to personal data
Controller must provide the following information:
- Contact details
- Purposes and legal basis of the processing
- Recipients of the data
- Period for which the personal data will be stored
- Description of data subject rights
- Source of the data
- Existence of automated decision-making, including profiling
13. Articles 15, 16, 17, 20, 21, 22
Rights of the data subject
The data subject has the right to
- get confirmation if data are being processed
- get access to, correct, delete and receive an export of all
personal data
- object to personal data processing for direct marketing
purposes
- object to automated decision-making (such as profiling)
- get human intervention to contest the above decision
14. Article 24
Responsibility of the data controller
The data controller must implement technical and
organisational measures to
- ensure that data processing is in accordance with the GDPR
- be able to demonstrate the above
- review and update those measures
15. Article 30
Records of processing activities
Who/When
- more than 250 employees
- regular data processing
- risks to rights and
freedoms of data subjects
- special data categories
What to include
- contact details
- purposes of the processing
- categories of data subjects
- categories of personal data
- categories of recipients
- time limits for erasure of the different
categories of data
- description of the technical and
organisational security measures
16. Article 32
Security of processing
Technical and organisational measures:
- pseudonymisation and encryption of personal data
- ability to ensure ongoing confidentiality, integrity, availability
and resilience of processing systems and services
- ability to quickly restore access to personal data in the event
of an incident
- process for regular testing, assessment and evaluation of
the effectiveness of security measures
17. Articles 33, 34
Notification of a personal data breach
A data breach must be reported to
- the supervisory authority
- within 72 hours
- unless the personal data breach is unlikely to result in a risk to the
rights and freedoms of natural persons
- to the data subject
- without undue delay
- only in case of high risk to the rights and freedoms of natural persons
18. Articles 35
Data protection impact assessment
Who/When
- in case of high risk to
rights and freedoms of
natural persons
- prior to the processing
- single assessment for
similar processing
operations or similar high
risks
What to include
- description of processing operations
and purposes of the processing
- assessment of necessity and
proportionality of processing
operations in relation to the purposes
- assessment of risks to rights and
freedoms of data subjects
- documentation of measures that will
be taken to address the risks
19. Articles 37, 38, 39
Data protection officer
Who/When
- public authority
- regular processing
- special categories
of data
How
- is involved in all issues
- has required resources to
process with tasks and
maintain the knowledge
- is independent
What
- inform and advise
- monitor compliance
- cooperate with the
supervisory authority
20. Articles 42, 77, 83
Certification and supervision
- Complaints with a supervisory authority
- every data subject has the right to lodge a complaint
- supervisory authority must inform on progress and outcome
- Fines
- effective, proportionate and dissuasive
- up to EUR 20 million or 4% of the total worldwide annual turnover
- Certification
- register of certification mechanisms and data protection seals and
marks will be available publicly
21. Overview of overall GDPR impact
Functional
- Get express consent from users
- Provision of additional information to data
subjects
- Add ability to erase and export all user data
- Add ability to correct inaccurate user data
- Recall consent for one purpose (marketing)
and leave the others
- Add ability for human intervention
- Demonstrate security measures
- Control access to the user data
Business/Process
- Clearly define purposes and consents
- Add human intervention mechanisms to the
system(s)
- Review and update security measures
- Create Records for Processing Activities
- Ensure informing supervising authority in the
case of incidents (within 72h)
- Create Data Protection Impact Assessment
- Assignment of Data Protection Officer(s)