Article 9: Special categories of data
Special categories of data are sensitive information about individual and need more protection.
Individuals‘ rights and freedoms are at increased risk when this type of data is processing. It may put them at risk of unlawful discrimination.
2. Article 9: Special categories of data
www.seersco.com
Special categories of data are the sensitive information about individual and need more
protection.
Individuals‘ rights and freedoms are at increased risk when this type of data is processing. It may
put them at risk of unlawful discrimination.
3. Article 10: Data of criminal convictions and offences
www.seersco.com
• Organisations must have both a lawful basis under Article 6 in the same way as for any
other personal data, and either legal authority or official authority for the processing under
Article 10.
• Organisations cannot keep a comprehensive register of criminal convictions unless they do
so in an official capacity.
4. Article 13, 14: Right to be informed
www.seersco.com
• The data controllers should actively inform individuals about the processing of their personal
information through a privacy notice.
5. Right of access Article 15
www.seersco.com
• The right of access allows individuals to confirm that their data is being processed, and verify the
lawfulness of the processing.
6. Right to rectification: Article 16
www.seersco.com
• Individuals have the right to have personal data rectified if the personal data is inaccurate or
incomplete.
7. Right to erasure: Article 17
www.seersco.com
• Also known as ‘the right to be forgotten’, this is most difficult to be provided.
• The data subjects can delete or remove personal data where there is no compelling reason
for its continued processing.
8. Right to restrict processing Article: 18
www.seersco.com
• Restriction of processing means being permitted to store the personal data, but not to
further process it.
• Individuals have the right to restrict the processing of personal data in certain circumstances:
9. Right to data portability: Article 20
www.seersco.com
• Right to data portability allows individuals to move, copy or transfer personal data
easily from one data controller to reuse their personal data for their own purposes
across different services.
10. Right to object: Article 21
www.seersco.com
• Individuals have the right to stop processing of their personal data unless the data controller has
some compelling grounds to continue the processing
• they can demonstrate compelling legitimate grounds for the processing, which override the
interests, rights and freedoms of the individual; or
• the processing is for the establishment, exercise or defence of legal claims.
11. Right to be Provided
www.seersco.com
Rights to be provided when automated decision making and profiling is involved:
• “The data subject shall have the right not to be subject to a decision based solely on automated
processing, including profiling, which produces legal effects concerning him or her or similarly
significantly affects him or her.” [Article 22(1)]
12. Contractual obligations for third-party processors
www.seersco.com
Contractual obligations for third-party processors: Article 28::
• Data controllers need to have a written contract in place if they want to outsource their
processing operation.
• The contract helps to understand the responsibilities and liabilities of both parties.
• They help them to comply with the GDPR, and;
• Help controllers to demonstrate their compliance with the GDPR.
13. Record of processing activities: Article 30
www.seersco.com
• Organisations are required to maintain records of their processing activities under Article 30 of
the GDPR, and make the records available to the supervisory authority on request.
• Records must be kept in writing, kept up to date, and reflect your current processing activities.
• Controllers and processors both have documentation obligations.
• Keeping the record will help organisations demonstrate compliance with the requirements of
the GDPR.
14. Security of processing: Article 32
www.seersco.com
• The GDPR requires the organisations to ensure the security of personal data by using
appropriate technical and organisational measures.
• Technical measures may include firewalls, antivirus, encryption, anonymisation,
pseudonymisation.
• Organisational measures may include introducing a privacy-oriented mindset and enforcing data
protection policy in the organisation, security of premises where the data processing and storing
equipment is located, restricted and limited access to data processing devices, assigning roles
and responsibilities of someone as a key person responsible for the security of personal data.
• Such measures should protect the personal data against unauthorised or unlawful processing
and against accidental loss, destruction or damage.
15. Data Breach
www.seersco.com
A personal data breach occurs when the security of processing is compromised, leading to:
1. Unauthorised disclosure of, or access to, personal data,
2. accidental or unlawful destruction, loss, alteration,
3. deliberate or accidental action (or inaction) by a controller or processor
16. Notification of personal data breach
www.seersco.com
Notification of personal data breach to the supervisory authority: Article 33:
• If there are high risks to the rights and freedom of data subjects as a result of the breach,
organisations must notify the supervisory authority 72 hours after becoming aware of it.
17. Notification of personal data breach to individuals
www.seersco.com
Notification of personal data breach to the individuals: Article 34::
• Notification of data breach to the individuals is mandatory only if a breach is likely to result in a
high risk to the rights and freedoms of individuals.
• GDPR requires that the organisations must inform those concerned individuals directly and
without undue delay.
18. Data protection officers Article 37
www.seersco.com
• Is a formal role mandatory appointment under GDPR
19. Cross-border data transfers
www.seersco.com
• GDPR prohibits the transfer of personal information to third countries or international
organisations which are based outside the European Union.
• However there are certain situations and conditions under which cross-border data transfers are
allowed.
Transfers on the basis of an adequacy decision by the Commission:
• According to Article 45 of the GDPR, transfers may be made where the Commission has decided
that a third country or an international organisation ensures an adequate level of protection.
The main advantage of this Adequacy Decision would be that personal data can flow outside the
EU without any further safeguards.
Transfers subject to appropriate safeguards:
• Article 46 of the GDPR says that organisations may transfer personal data where the receiving
organisation has provided adequate safeguards. They should provide individuals’ with the rights
and effective legal remedies after the transfer.
20. Binding Corporate Rules
www.seersco.com
• Binding Corporate Rules are internal rules for multinational companies to make intra-
organisational transfers of personal data across borders in compliance with EU Data Protection
Law. It ensures that all data transfer within a corporate group is safe. Article 47 of the GDPR
covers provisions for binding corporate rules.
21. Derogations
www.seersco.com
• Derogations are exemptions from the general prohibition on transfer of personal data outside
the EU for certain specific situations. Under Article 49 of the GDPR, a transfer can be