Personal data protection in the EU

PERSONAL DATA PROTECTION (EU)
Regulation (EU) 2016/679 of April 2016
Publication date: February 06, 2017
ARETE-ZOE, LLC: 1334 E Chandler Blvd 5A-19, 85048 Phoenix, AZ, USA | T:+1-480-409-0778 (24/7) | website: http://www.aretezoe.com/

Overview
• Repeals Directive 95/46/EC
• Passed in April 2016
• To be adopted by May 2018
• Protection of data of natural persons is a fundamental human right
• Free movement of personal data within the EU not restricted
• Includes ‘data concerning health’
• Conditions of consent
• Processing of special categories of personal data severely restricted
• Right to access, rectification and erasure
• Obligations of controllers and processors
• Security of personal data
• Member states shall incorporate specifics in national law

INTENT
Regulation (EU) 2016/679 of April 2016
This Regulation is intended to contribute to the accomplishment of an area of
freedom, security and justice and of an economic union, to economic and
social progress, to the strengthening and the convergence of the economies
within the internal market, and to the well-being of natural persons.

The Treaty on the functioning of the European Union

Right to the protection of personal data
• All natural persons regardless nationality or residence
• Not an absolute right but balanced against other rights
• Substantial increase in cross-border flow of personal data
• Public and private actors & national authorities
• Technological developments
• Globalization
• Disclosures made through social networks
• Differences in data protection hinder business
Coherent data protection & enforcement required for
digital society and economy to thrive

• Definition
• Rights of natural persons that are protected
• Legal persons not affected
• Powers for monitoring and ensuring compliance, incl. sanctions
• Purpose
• Legal certainty and transparency for economic subjects
• Same level of enforceable rights for all natural persons in the EU
• Effective cooperation between supervisory authorities
• Provisions for small business (<250 employees)
• National security, common foreign/security policy matters excluded
Principle of technological neutrality for data processing to
cover both automated and manual systems

Exemptions
Purely personal or household activity
• Correspondence
• Holding of addresses
• Social networking
• NOT Controllers of household activities
• NOT Courts and judicial authorities
• EXEMPT
• Anonymous information
• Deceased persons

Applicability
• Controller
• Processor
• Intermediary
• Commercial
• Diplomatic
• Processing of personal data of EU natural persons
• Regardless of whether the processing itself takes place within the EU
• Regardless place of establishment of the controller / processor / intermediary
• Effective and real exercise of activity through stable arrangements.
• Customers’ data (incl. marketing)
• Intention to offer goods or services to data subjects in the EU:
• Accessibility of website in the EU
• Email address/contact details,
• Language and/or currency
• Possibility of ordering goods and services
• Mentioning of customers or users who are in the EU
• Monitoring of EU data subjects on EU territory
• Tracking persons online and their profiling,
• Analysis/prediction of personal preferences, behaviors and attitudes.
• Diplomatic mission or consular posts of Member States

National authorities
• Tax and customs authorities
• Financial investigation units
• Independent administrative authorities
• Financial market authorities (securities markets)
• Requests for disclosure in writing, reasoned and limited
Purpose of data processing
• Compliance
• Public interest
• Exercise of official authority
• Specific situations clearly defined

Health data
• (33) Scientific research
• (34) Genetic data
• (35) Health data
• Data subjects should be allowed to give consent to certain areas of
scientific research or its parts in compliance with ethical standards
• Genetic data should be defined as personal data: analysis of a biological
sample (chromosomal, DNA or RNA analysis)
• Personal data concerning health:
• Health status of a data subject (past, current or future)
• Physical or mental health status
• Information collected for registration or provision of health care services
• Unique identifiers for health purposes
• Information derived from medical and laboratory tests or examinations
Information on disease, disability, disease risk, medical history,
clinical treatment or the physiological or biomedical state

Applicability
• Identifiable live persons
• Declare risks, rules, rights
• Define safeguards
• Legitimate purpose
• Limited time
• Accuracy / Correction
• Security
• Confidentiality
Processing of personal data
• Declare: risks, rules, safeguards and rights and how to exercise their rights.
• Purpose: explicit, legitimate and declared, cannot be fulfilled by other means
• Storage: limited to a strict minimum, time limits for erasure / periodic review .
• Corrections: Inaccurate personal data should be rectified or deleted
• Security and confidentiality
• Children: specific protection for marketing or creating profiles
Identified or identifiable natural persons
• Including pseudonyms, if attributable
• Direct and indirect identification
• Costs of identification/attribution
• Technological: device identifiers, IP addresses, cookies, RFI tags
• If a person cannot be identified, the controller has no obligation to follow-up
Pseudonymization during processing recommended to reduce risks

Lawful Processing
Lawful | Fair | Transparent
Consent
In the context of entering into contract
Compliance with legal obligation
Public interest (public health)
Exercise of official authority (specifics defined in national law)
Essential for the life of the data subject or that of another natural person.
Vital interest of another natural person (if there is no other legal basis).
Humanitarian purposes, epidemics, emergencies, disasters
Legitimate interests of a controller based on relationship with data subject
Group of undertakings: transmitting data for internal administrative purposes
Extent strictly necessary and proportionate
Transparency: concise, accessible, easy to understand

Information
Security
• Availability
• Authenticity
• Integrity
• Confidentiality
• Ensuring network and information security
• Resilience of a network or an information system
• At a given level of confidence
• Resist accidental events and/or unlawful or malicious actions
• Data and information security
• Both stored and transmitted personal data
• Security of the related services offered via those networks
• Legitimate interests: public authorities, CERTs, CSIRTs, by carriers,
providers of security technologies and services
Preventing unauthorized access to networks, malicious code
distribution and stopping ‘denial of service’ attacks and
damage to computers and networks.

Controller
CONTROLLER
• Organization: the main establishment of the
processor should be its central administration
• A group of undertakings should cover a controlling
and controlled undertakings
• Erasure: all controllers who made the data public
• Controllers shall erase any links, copies or
replications of personal data
• Methods: restriction of public access to such data
• NOT: controllers in the exercise of their public duties
• Data subject shall receive data in a structured format
• Portability: right to have personal data transmitted
directly from one controller to another.
DATA SUBJECT
• Right to object to the processing of any personal data
• Direct marketing: the right to opt out, free of charge
• Request, Access, Rectify and Erase data about self
• Right to be informed of profiling and its consequence
• Informed of disclosure to third parties
• Where the controller processes a large quantity of
information about the subject, the request for disclosure
needs to be specific
• Controller should take reasonable measures to identify
the requestor
Controller has to demonstrate that its compelling legitimate
interest overrides the interests or the data subject.

Non-original
Purpose
The processing of personal data for purposes other than
those for which they were originally collected should be
allowed only if
• Such processing is compatible with the original purposes
• Data subject has given consent
• Serves important objectives of general public interest
• Transmission of susp. criminal acts or threats to public
security to law enforcement
Legal, professional or other binding obligation
of secrecy applies.

The right to be forgotten
ERASURE
• Right to have own personal data rectified
• Infringement of this regulation
• Personal data no longer necessary for
purposes for which they were processed
• Data subject has withdrawn consent
• Data subject objects
• Processing not in compliance with this Reg.
• Data subject consented as a child
• Controller should ensure erasure of links,
copies or replications
RETENTION
• Freedom of expression and information
• Compliance with a legal obligation
• Task carried out in public interest
• Official authority vested in the controller
• Public interest in the area of public health
• Archiving purposes in the public interest
• Scientific or historical research
• Statistical purposes
• Establishment, exercise, defense of legal claims.

Sensitive data
Profiling
Particularly sensitive personal data and profiling
• Racial or ethnic origin
• Political opinions, religion or philosophical beliefs
• Trade union membership
• Genetic data, health data, sex life
• Criminal convictions or offences and security measures
• Photographs for identification don’t count as racial profiling
• Analysis of personal aspects, performance at work
• Economic situation
• Personal preferences or interests
• Reliability or behavior
• Location or movements
 Allowed in employment law, social protection law, health security
 Allowed where expressly authorised (fraud, tax-evasion monitoring)
The data subject should have the right not to be subject to a decision based solely
on automated processing and which produces legal effects
(automatic refusal of an online credit application or e-recruiting practices)

Risks to natural
persons
Discrimination
Identity theft or fraud
Financial loss
Damage to reputation
Loss of confidentiality of data
protected by professional
secrecy
Reversal of Pseudonymisation
Economic or social
disadvantage
Rights of data subject vs. rights of society
• Data subject’s rights need to be balanced against the rights of the society
• Responsibility and liability of the controller needs to be established
• The risk to the rights and freedoms of natural persons, of varying likelihood
and severity could lead to physical, material or non-material damage:
• Data subjects might be deprived of their rights and freedoms or prevented
from exercising control over their personal data;
High risk:
• Vulnerable persons (children)
• Large amount of personal data
• Large number of data subjects
Risk assessment
• The likelihood and severity of the risk to the data subject should be determined
by reference to the nature, scope, context and purposes of processing
• Establish whether risks involved in data processing operations

Data
Security
Measures
Appropriate technical and organizational measures
• Risk assessment relating to the scope, nature and purpose of processed data
• Clear allocation of the responsibilities
• Representative if controller/processor is not established in the Union
• Development, design, selection and use of applications, services and products
• Create and improve security features
• Expert knowledge, reliability and resources
• Encryption
• Approved code of conduct
• Certification mechanism
• Records of processing activities for audit purposes
Balance costs against risks of data destruction, loss, alteration, or disclosure
Data protection impact assessment for high risk data
Scope Nature
ScalePurpose

Data Breaches
• Reportable within 72 hrs
• Impact assessment
Report data breaches to supervisory authority within 72 hours
• Controller should communicate high risk data breaches to the subject
• Nature of the personal data breach
• Recommendations to mitigate potential adverse effects.
• Intervention of the supervisory authority
 Appropriateness of technical protection
 Likelihood of identity fraud or other forms of misuse
Impact assessment of large-scale data processing operations
• Obligation of controllers/processors
• Consultation of the supervisory authority and/or experts required
• Special categories of personal data
• Data relating to criminal convictions and offences
• Codes of conduct and certification systems

International
data flow
Flows of personal data to and
from countries outside the
Union is necessary for trade
• Level of protection of natural persons should not be undermined
• Appropriate safeguards for the data subjects
• International agreements for the transfer of personal data to third countries
European Commission
• May decide which countries offer an adequate level of data protection
• May revoke such a decision
• Monitors the functioning of decisions
• May recognize that a third country no longer ensures adequate level of protection.
Controller/Processor
• Measures to compensate for the lack of data protection
• Binding corporate rules, standard data protection clauses or contractual clauses
• Provisions for occasional consensual data transfers
• Derogations for data transfers for important reasons of public interest
• Scientific or historical research purposes or statistical purposes
• International laws requiring transfer or disclose personal data

Supervisory
authorities
National Supervisory Authorities
• Competent on the territory of its own Member State
• Contribute to consistent application of the law throughout the Union
• Powers exercised impartially, fairly and within a reasonable time
• Act in accordance with procedural law
• Power to impose a limitation, including a ban, on data processing.
• Measure should be appropriate, necessary and proportionate and in writing
• Urgent need to act: provisional measures valid up to 3 months.
Joint operations
• If more than one are involved, one should function as a single contact point
• One-stop-shop mechanism
Constraints
• Unable to conduct investigations outside their borders
• Insufficient preventative or remedial powers
• Inconsistent legal regimes and resource constraints

Handling Complaints
• Data subjects should have the right to lodge a complaint with a single Supervisory Authority
• Organization that could lodge complaints independently from data subjects’ mandate
• Annulment of decisions: Board before the Court of Justice (Article 263 TFEU).
• Legally binding decisions of Supervisory Authorities shall be subject to judicial review
• Courts ensure consistency of application of the Regulation
• Controller/processor liable for damage caused by infringement of this Regulation
• The controller/processor exempt from liability if it proves that it is not in responsible for damage
• Data subjects entitled to compensation for damage

Enforcement
Controllers/processors involved in data processing all liable for the entire damage.
Where joined to the same proceedings, compensation shall be apportioned.
Penalties for infringement: administrative fines or reprimand
 Nature, gravity and duration of the infringement
 Intent, actions taken to mitigate the damage, degree of responsibility
 Relevant previous infringements
 Compliance with measures
 Adherence to a code of conduct
 Other aggravating or mitigating factor.
• Imposition of penalties subject to procedural safeguards
• Criminal penalties may apply (Denmark)
• Criteria for infringements and upper limit for fines
• Consistent application
System which provides for effective, proportionate and
dissuasive penalties

Balance other rights
• Freedom of expression, information, journalism, art and literary expression
Employment context
• Collective agreements, including ‘works agreements’
Public interest
• Archiving, scientific or historical research, statistical purposes
• Reuse of official documents
Safeguards
• Assess feasibility of processing data w/o identification - pseudonymization.
• For the processing of personal data for special situations
• For data subjects: rights to rectification, to erasure, to be forgotten, to restriction
of processing, to data portability, and to object
• Procedures and technical and organizational measures
• Proportionality and necessity principles
• Other relevant legislation (clinical trials).
Coupling information from registries: i.e. medical research, social science,
subject to conditions set out in specific EU or national law (clinical trials)
Freedom of
expression
Reuse of public
information

Public Interest
• Archiving
• Scientific Research
• Historical Research
• Statistical Purposes
Archiving
• Legal obligation to acquire, preserve, appraise, arrange, describe, communicate, promote,
disseminate and provide access to records of enduring value for public interest.
• Processing of personal data for archiving purposes: political behavior under totalitarian
regimes, genocide, crimes against humanity, Holocaust, or war crimes.
Scientific research
• Technological development and demonstration, fundamental research, applied research
and privately funded research
• Union's objective under Article 179(1) TFEU of achieving a European Research Area.
• Studies conducted in the public interest in the area of public health.
• Specific conditions apply for publication/disclosure of personal data in scientific context
• Consent to the participation in scientific research: Regulation (EU) No 536/2014
Historical research
• Applicability includes historical research and genealogy
Statistical purposes
• National law determines content, access controls, specifications, and safeguards
• Result of processing for statistical purposes is aggregate data, not personal

Supervision
Supervisory authorities
• Access to personal data on controller’s premises
subject to national law
• Specific rules for professional secrecy obligations
• Specific rules for churches and religious associations
• Movement of data: Article 290 TFEU delegated to EC
• Criteria and requirements for certification
• Information to be presented by standardized icons
• Uniform conditions for the implementation
• Specific measures for small business
Procedure
• Standard contractual clauses
• Codes of conduct
• Technical standards and mechanisms for certification
• Decisions on adequacy of protection in third country
• Standard protection clauses
• Formats and procedures for information exchanges
• Mutual assistance
• Arrangements for information exchange between
supervisory authorities
• Implementing acts regarding third countries and
international organizations

GENERAL PROVISIONS
Objectives | Scope | Exemptions | Territory | Definitions

Objectives
• Protection of personal data of natural persons
• Free movement of data within the EU not restricted
Scope
• Processing of personal data by automated means
• Processing other than by automated means which form part of a filing system
Exemptions
• Activity outside the scope of Union law
• Member States carrying out activities under Chapter 2 of Title V of the TEU
• Purely personal or household activity
• Competent authorities for prevention and investigation of crimes and public threats
• EU agencies: Regulation (EC) No 45/2001 (Art 98)
• Liability rules of intermediary service providers: Directive 2000/31/EC (Art 12 - 15)
Territory
• Processing of personal data by controllers/processors established in the EU
• Data subjects who are in the EU: trade and marketing, monitoring and tracking
ARETE-ZOE, LLC: 1334 E Chandler Blvd 5A-19, 85048 Phoenix, AZ, USA
T:+1-480-409-0778 (24/7) | website: http://www.aretezoe.com/

‘personal data’ means any information relating to an identified or identifiable
natural person (‘data subject’) person is one who can be identified, directly or
indirectly, in particular by reference to an identifier such as a name, an
identification number, location data, an online identifier or to one or more factors
specific to the physical, physiological, genetic, mental, economic, cultural or
social identity of that natural person
‘personal data breach’ means a breach of security leading to the accidental or
unlawful destruction, loss, alteration, unauthorized disclosure of, or access to,
personal data transmitted, stored or otherwise processed
‘data concerning health’ means personal data related to the physical or mental
health of a natural person, including the provision of health care services, which
reveal information about his or her health status
‘personal data’ - ‘processing’ - ‘restriction of processing’ - ‘profiling’ -
‘pseudonymisation’ - ‘filing system’ - ‘controller’ - ‘processor’ - ‘third party’ -
‘consent’ - ‘personal data breach’ - ‘genetic data’ - ‘biometric data’ - ‘data
concerning health’ - ) ‘main establishment’ - ‘representative’ - ‘enterprise’ - ‘group
of undertakings’ - ‘binding corporate rules’ - ‘supervisory authority’ - ‘supervisory
authority concerned’ - ‘cross-border processing’ - ‘relevant and reasoned
objection’ - ‘information society service’ - ‘international organization’
DEFINITIONS

PRINCIPLES
Lawful-Fair-Transparent | Consent | Special categories

LAWFULNESS | FAIRNESS | TRANSPARENCY
Personal data shall be processed lawfully, fairly
and in a transparent manner
• Purpose limitation: collected for specified, explicit and legitimate purposes
• Public interests: archiving, scientific or historical research, or statistical purpose
• Data minimization: adequate, relevant and limited
• Accuracy: accurate, up to date; erased or rectified without delay
• Identifiable data subjects – adequate form
• Storage limitation: No longer than necessary
• Appropriate security of the personal data
• Integrity and confidentiality: Protection against unauthorized or unlawful
processing, loss, destruction or damage
• Accountability: controller shall be able to demonstrate compliance

LAWFULNESS | FAIRNESS | TRANSPARENCY
Personal data shall be processed lawfully, fairly
and in a transparent manner
• Data subject consented to data processing for a specific purpose
• Controller/processor has a contract to which the data subject is party
• Compliance with Controller’s legal obligation
• Protect ion of vital interests of the data subject or of another natural person
• Public interest or official authority vested in the controller
• Legitimate interests pursued by the controller or by a third party
• Requirements for specific processing situations (Chapter IX)
• Legal basis for purpose of processing specified in other EU or national law
• Further processing: based on data subject's consent, legal requirement, or for
purpose compatible with the original purpose, special type data and safeguards

Consent
Clear |Affirmative | Freely given | Specific | Informed | Unambiguous
GO
• Written statement, including electronic, oral
• Intelligible, easily accessible, in a clear and
plain language w/o unfair terms.
• Ticking a box, choosing technical settings
• Processing for multiple purposes requires
multiple consents
• Documented by controller for audit purposes
• Informed: identity of the controller, purpose(s)
• Freely given: genuine choice
• Able to refuse/withdraw w/o detriment.
• Contract only if necessary for performance of
such contract
NO-GO
• Silence rather than consent
• Pre-ticked boxes or inactivity
• Clear imbalance (public authority)
• No separate consents to different operations
CHILD’s CONSENT
• Minimum age 16 years, otherwise parents
• Member States may lower age to 13

PROHIBITED CATEGORIES
• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic data
• Biometric data
• Data concerning health
• Sex life or sexual orientation
EXCEPTIONS
• Data subject has given explicit consent
• Obligations in employment, social security/protection
• Protection of vital interests where the data subject is
physically or legally incapable of giving consent
• Legitimate activities by NGOs with related aim
• Personal data manifestly made public by the data subject
• Establishment, exercise or defense of legal claims
• Substantial public interest
• Law proportionate to the aim pursued
• Preventive or occupational medicine
• Work assessments, medical diagnosis and care
• Management of health or social care systems
• Contract with a health professional
• Public health, serious cross-border threats to health
• Archiving, scientific or historical research, statistics
• Safeguards may include obligation of secrecy
Registries of criminal convictions and offences or security
measures shall be processed by an official authority
Controller shall not be obliged to process additional
information in order to identify the data subject

Transparency and modalities
Controller provides information relating to processing to data subject
• in writing, in accessible form, within 1 month, free of charge
• shall not refuse to act on the request
• except: when controller cannot identify the data subject
• by electronic means where possible
• Requests manifestly unfounded or excessive: charge a fee or refuse to act
• If in doubt, the controller may request confirmation of identity
• Information provided: easily meaningful overview of intended processing
• EC shall adopt delegated acts to determine standardized icons and procedures
Lodge
complaint with a
supervisory
authority
Judicial
remedy
Request to
controller
ARETE-ZOE, LLC: 1334 E Chandler Blvd 5A-19, 85048 Phoenix, AZ, USA | T:+1-480-409-0778
(24/7) | website: http://www.aretezoe.com/

Information and access to own personal data
Data collected from the data subject
• Controller’s identity and contact
• Purposes and legal basis for processing
• Third party recipients
• Transfer to a third country
• Safeguards
• Storage period
• Rights: to access, rectification, erasure, restriction, portability
• Right to withdraw consent
• Right to lodge a complaint with a supervisory authority
• Condition of contract/statutory requirement
• Consequences of failure to provide such data
• Automated decision-making, including profiling
• Logic, significance and consequences of processing
• Further processing for other purposes
Data obtained from elsewhere
• Ditto and more:
• Categories of personal data concerned
• Means to obtain a copy
• Where the processing is based
• Where did the data originate, public sources?
• Disclosure to another recipient
Duty to inform data subject shall not apply
• - the data subject already has the information;
• - disproportionate effort (archiving, research)

Right to obtain erasure of personal data where one of the following grounds applies:
• - personal data are no longer necessary in relation to purpose of processing
• - data subject withdraws consent, no other legal ground for processing
• - data subject objects to processing, no overriding legitimate grounds
• - personal data have been unlawfully processed
• - compliance with a legal obligation
• - personal data have been collected online
Controller IS obliged to erase the data
- erase any links, copies or replications
Controller NOT obliged to erase the data
- freedom of expression and information
- compliance with a legal obligation
- public interest in the area of public health
- archiving, scientific or historical research, statistical purposes
- establishment, exercise or defense of legal claims.
Rectification and erasure

Restriction on processing
• Accuracy contested by the data subject
• Processing is unlawful, data subject opposes erasure, requests restriction
• Controller no longer needs the data, data subject does for legal reasons
• Pending verification re legitimate grounds vs data subject’s rights
• IF Restricted: data subject's consent required for processing
• Notification obligation: lifting restriction, rectification, erasure
Right to data portability
• Right to receive data in a structured machine-readable format
• Right to transmit those data to another controller
• Does not apply to processing in public interest or official authority

Right to object
• Right to object, on grounds relating to situation, at any time
• Right to object includes profiling
• Data subject’s rights vs. compelling legitimate grounds for the processing
• Direct marketing purposes – opt out
• Right to object presented clearly and separately from any other information
Scientific or historical research purposes or statistical purposes
• Right to object exists unless the processing purpose is public interest
Automated individual decision-making, including profiling
• Right not to be subject to an automated decision which produces legal effects
• EXCEPT: contract relationship, authorised by law, explicit consent
• Right to obtain human intervention and to contest the decision

Union or Member State law
may restrict obligations and rights when necessary and proportionate to safeguard:
• National security
• Defense
• Public security
• Prevention, investigation, detection or prosecution of crimes
• Prevention of threats to public security
• Important objectives of general public interest
• Important economic or financial interest of the Union or of a Member State
• Public health and social security
• Protection of judicial independence and judicial proceedings
• Breaches of ethics for regulated professions
• Monitoring, inspection or regulatory function connected to exercise of official authority
Any legislative measure shall contain specific provisions that
balance these rights

Responsibility of the controller
• Appropriate technical and organizational measures to ensure compliance
• Appropriate data protection policies by the controller.
• Adherence to approved codes of conduct
• Safeguards: pseudonymization, data-protection principles, data minimization
• Procedural controls
• Certification mechanism
Joint controllers
• Two or more controllers jointly determine the purposes and means of processing
• Determine their respective responsibilities
• Designate a contact point for data subjects
• Arrangement shall be made available to the data subject.
Representative
• Controllers or processors not established in the Union shall have a representative

Processor
• Processing on behalf of a controller
• Appropriate technical and organizational measures to ensure compliance
• Written authorization and contract with controller
• Documented instructions and legal grounds
• Confidentiality obligation
• Assist the controller via technical, organizational and other means to ensure compliance
• Upon completion of processing either deletes or returns data to controller
• Maintains audit trail, documented inspections and audits
• Informs controller about any infringements
• Subcontracting – same rules apply to all processors
• Adherence to code of conduct, contracts and certifications
• EC and Supervisory authorities may adopt standard contractual clauses
• In case of infringement the processor shall be considered a controller
• The processor shall not process data except on instructions
• Controllers and processors maintain detailed records of processing activities
• The controller and the processor shall cooperate with supervisory authorities

Security of personal data
Security of processing
• - state of the art and costs of implementation
• - nature, scope, context and purposes of processing
• - likelihood and severity of risks to natural persons
Technical and organizational measures to ensure appropriate security
• - pseudonymization and encryption of data
• - confidentiality, integrity, availability and resilience of processing systems and services
• - ability to restore availability and access to data after an incident
• - testing, assessing and evaluating the effectiveness of measures
Security assessments
• Consider risks from unlawful destruction, loss, alteration, unauthorized disclosure or access
• Code of conduct, certification mechanism as means to demonstrate compliance
• Access to data does limited to processing purpose

Data breaches
Breach notification to SA
• Notification of a personal data breach to the supervisory authority
• Controller to SA within 72 hours after having become aware of a breach
• Processor shall notify controller
• Content: nature and extent of the breach, contact point, likely consequences and measures
• Documentation: remedial actions taken
Breach notification to the data subjects
• High risk breaches shall be communicated to data subjects
• Nature of the breach and measures taken
• Not required if:
• - the data was encrypted,
• - high risk no longer likely due to measures implemented
• - disproportionate effort, public communication sufficient
• Supervisory authority may require the controller to communicate the breach

Data protection impact assessment
High risk: new technologies, nature, scope, context and purposes
Impact assessment required:
• - a systematic evaluation of personal aspects via automated processing/ profiling
• - largescale processing of special categories of data
• - a systematic monitoring of a publicly accessible area on a large scale
• Supervisory authority shall establish a list of activities where impact assessment is required
Impact assessment shall contain:
• - description of processing operations and purposes
• - assessment of the necessity, proportionality and risks to data subjects
• - measures to address the risks (safeguards, security measures)
• - codes of conduct
• - controller shall seek the views of data subjects or their representatives
• - periodic reviews to assess compliance with impact assessment and reassessment
• - High risk data processing: controller shall consult SA
• - Member States may require authorization for certain tasks performed in public interest

Data Protection Officer
Data protection officer
• The controller/processor shall designate a data protection officer where relevant
• A DPO may be designated for several public authorities
• DPO may act for associations representing controllers or processors
• DPO should be an expert on data protection law and practices
• DPOs contact must be public
• DPO must be involved in all data protection issues
• DPO shall be bound by secrecy or confidentiality
DPO tasks
• Advise controller/processor on requirements of the regulation and monitor compliance
• Be involved in audits and impact assessments
• Cooperate with SA and act as contact point

Code of Conduct, Certification
Code of Conduct
• Member States, Supervisory Authorities, the Board and the Commission encourage
• Associations representing controllers/processors prepare Codes of Conduct
• Include out-of-court proceedings and dispute resolution
• The Board shall collate all approved Codes of Conduct and make them public
• Accredited monitor of compliance
Certification
• Member States, Supervisory Authorities, the Board and the Commission encourage
• Approved data protection certification mechanisms, seals or marks
• Enforceable commitments, contractual or other
• Certification shall be voluntary, available via transparent process
• Certification bodies shall be accredited on the basis of criteria approved by SA
• The Commission may adopt implementing acts on technical standards for certification

TRANSFERS TO THIRD COUNTRIES
General principles | Derogations
International cooperation

General principles for transfers
• Level of protection of natural persons guaranteed by this Regulation is not
undermined
Transfers on the basis of an adequacy decision
• Favorable Adequacy decision by the Commission – no special authorization
required
Transfers subject to appropriate safeguards
• Adequacy decision not available: providing appropriate safeguards, enforceable
rights and effective legal remedies for data subjects are available.
Subject to the authorization from the competent supervisory authority
• Contractual clauses
• Provisions in administrative arrangements
Authorizations based on Directive 95/46/EC remain valid until amended/replaced
Binding corporate rules, subject to approval by supervisory authority
Transfers or disclosures not authorized by Union law
Transfers to third countries and international
organizations

Derogations for specific situations
• Explicit consent of data subject
• Transfer is necessary for the performance of a contract
• Important reasons of public interest (public interest recognized in Union law)
• Establishment, exercise or defense of legal claims
• Vital interests of the data subject/other persons, data subject incapable of giving consent
• Public register
• Binding corporate rules
International cooperation for the protection of personal data
• The Commission and supervisory authorities shall take appropriate steps to
• - develop international cooperation mechanisms to facilitate the effective enforcement
• - provide international mutual assistance in enforcement
• - engage relevant stakeholders at furthering international cooperation enforcement
• - promote the exchange and documentation of legislation and practice
Transfers to third countries and international
organizations

SUPERVISORYAUTHORITIES
General conditions | Competence | Tasks | Powers

Independent supervisory authorities
Each Member State shall
• have at least one supervisory authority
• notify to the Commission by 25 May 2018 on its provisions
• provide their SAs with resources, premises and infrastructure
General conditions for the members of SAs
• Appointed by means of a transparent procedure
• Have the qualifications, experience and skills, required to exercise its powers
• The duties of a member shall end upon leaving office
• A member shall be dismissed only in cases of serious misconduct
Rules on the establishment of the supervisory authority
• Each Member State shall provide by law for establishment of SAs, qualifications and
eligibility, ruled for appointing its members, term duration, conditions and prohibitions
• SA staff shall be subject be subject to a duty of professional secrecy

Competence, tasks and powers
Competence
• Each SA shall be competent for the performance of the tasks assigned
• SAs shall not supervise processing operations of courts reviewing them
• Competence of the lead supervisory authority
Tasks
• SA shall on its territory monitor and enforce the application of this Regulation
• Promote public awareness on data processing
• Advise the national institutions and bodies
• Promote awareness of controllers and processors of their obligations
• Provide information to data subjects
• Handle complaints
• Cooperate with other supervisory authorities
• Conduct investigations, monitor relevant developments and practices
• Adopt standard contractual clauses, maintain list of impact assessments
• Any other tasks related to the protection of personal data.

Competence, tasks and powers
Powers
• Request information from controller and processor relevant to its tasks
• Carry out investigations, audits and review on certifications
• Access to any premises
• Issue warnings, reprimands and orders to comply
• Impose limitation or ban on processing
• Order rectification or erasure of personal data or restriction of processing
• Withdraw certification, impose administrative fine
• Order suspension of data flows to third country or to an international organization
• Issue opinions to national institutions
• Authorize processing
• Approve draft codes of conduct
• Accredit certification bodies, issue certifications and approve criteria of certification
• Adopt standard data protection clauses, and administrative arrangements
• Approve binding corporate rules
• Bring infringements of this Regulation to the attention of the judicial authorities
• Write annual report on its activities

COOPERATION & CONSISTENCY
Supervisory Authorities | The Board | EDPS

Cooperation
• Cooperation between the lead supervisory authority and the other SAs
• Lead SA shall cooperate with other SAs to reach consensus
• Exchange all relevant information with each other
• Request mutual assistance in investigations
• Adopt decision and notify the controller/processor
Mutual assistance
• Relevant information and mutual assistance to each other
• Requests for assistance formalized and reasoned, information in a standardized format
• The Commission may specify the format and procedures for mutual assistance
Joint operations
• Joint investigations and joint enforcement measures
• Controller or processor has establishments in several Member States
• Significant number of data subjects in more than one Member State affected
• SA may confer powers on the seconding SA's members or staff
• Provisional measures on the territory, urgent binding decision

Supervisory authorities and the Commission apply this Regulation
consistently throughout the Union
Opinion of the Board
• Where a competent SA intends to adopt any of these measures
• List of the processing operations for impact assessments
• Code of conduct, criteria for accreditation
• Standard data protection clauses, contractual clauses, binding corporate rules
• Procedure for requests of Board opinion in other matters
• Dispute resolution by the Board in specific situations
Urgency procedure
• Exceptional circumstances
• Supervisory authority sees an urgent need to act
• Immediately adopt provisional measures on its own territory for up to 3 months
• Measures and reasons communicated to other SAs, the Board and to the Commission
• SA may request an urgent opinion or an urgent binding decision from the Board
Exchange of information
• The Commission may adopt implementing acts for the exchange of information

Supervisory authorities and the Commission apply this Regulation
consistently throughout the Union
European Data Protection Board (the Board)
• Established as a body of the Union
• Represented by its Chair: Giovanni Buttarelli and Wojciech Wiewiórowski
• Member States’ SA heads and of the European Data Protection Supervisor
• More than 1 SA in a Member State – appoint joint representative
• The Commission can participate in Board activities and meetings without voting right
• EDPS shall have voting rights only on decisions which concern principles and rules
The Board ensures the consistent application of this Regulation
• - monitors and ensures correct application of this Regulation by SAs
• - advises the Commission
• - issues guidelines, recommendations, and best practices and reviews their application
• - carries out accreditation of certification bodies
• - promotes cooperation, common training programs and facilitate personnel exchanges
• - maintains publicly accessible electronic registry of decisions by SAs and Courts
• - consults interested parties and gives them the opportunity to comment

European Data Protection Board
Reports
• The Board shall draw up an annual report
• Review of the practical application of the guidelines and best practices
Procedure
• The Board decides by a simple majority and adopts its own rules of procedure
Chair
• The Board shall elect a chair and two deputy chairs, 5-year term, renewable once
Tasks of the Chair
• Convenes Board meetings, notifies decisions, ensures performance of the Board
Secretariat
• The Board shall have a secretariat provided by the EDPS
• The secretariat performs its tasks under the instructions of the Chair of the Board
• EDPS staff is subject to separate reporting lines
• The secretariat provides analytical, administrative and logistical support to the Board
Confidentiality
• The discussions of the Board shall be confidential where necessary
• Access to documents submitted the Board shall be governed by Reg. (EC) 1049/2001

REMEDIES, LIABILITY, PENALTIES
Complaints | Judicial remedies | Representation | Fines

Right to lodge a complaint
• Every data subject shall have the right to lodge a complaint with a supervisory authority
• The supervisory authority shall inform the complainant on progress and outcome
Right to an effective judicial remedy against a supervisory authority
• Each natural or legal person shall have the right to an effective judicial remedy
• Proceedings against a SA shall be brought before the courts of the Member State
Right to an effective judicial remedy against a controller/processor
• Each data subject shall have the right to an effective judicial remedy
• Proceedings against a controller/processor shall be brought before the courts
Representation of data subjects
• Data subjects shall have the right to mandate an NGO to lodge complaint on their behalf
• Such NGO may also act independently of a data subject's mandate
• Suspension of proceedings if the same subject matter is pending decision elsewhere

Right to compensation and liability
• Any person who has suffered damage shall have the right to receive compensation
• Any controller involved in processing shall be liable for the damage
• A controller/processor shall be exempt if it proves that it is not responsible for the damage
• More than one controller/processor are involved, all shall be liable
General conditions for imposing administrative fines
• Each SA shall be effective, proportionate and dissuasive
• Administrative fines shall respect the nature, gravity and duration of the infringement,
damage suffered, intent/negligence, mitigation efforts, degree of responsibility, degree of
cooperation with SA, previous measures, adherence to code of conduct, other
• Infringements of specific provisions: fines up to 10 000 000 EUR (or 2 % turnover)
• Infringements of specific provisions: fines up to 20 000 000 EUR (4%)
• Non-compliance with an order: fines up to 20 000 000 EUR (4 %)
• Procedural safeguards include effective judicial remedy and due process
• Legal remedies are effective shall be effective, proportionate and dissuasive
Penalties
• Member States shall lay down the rules on other applicable penalties

SPECIFIC PROCESSING SITUATIONS
Balancing rights | Public interest | Official documents
Obligation of Secrecy | Churches

Processing and freedom of expression and information
• Journalistic, academic, artistic, literary purposes: exemptions or derogations
• Each Member State shall notify the Commission of its laws
Processing and public access to official documents
• Personal data in official documents may be disclosed in accordance with law
Processing of the national identification number
• Specific conditions for processing of a national identification number or other identifier
right to the
protection of
personal data
right to freedom of expression and
information, journalistic, academic,
artistic or literary expression

Processing in the context of employment
• Specific rules for processing of employees' personal data
• Human dignity, legitimate interests and fundamental rights
Archiving, research & statistics
• Safeguards and derogations for archiving, scientific or historical research, statistics
• Principle of data minimization
• Pseudonymization
• Derogations necessary for the fulfilment of specific purposes
Obligations of secrecy
• Specific rules to obligation of secrecy for controllers/processors
Existing data protection rules of churches and religious associations
• Comprehensive rules relating to the protection of natural persons
• Churches and religious associations shall be subject to the supervision of a specific
independent supervisory authority

DELEGATED & IMPLEMENTING ACTS
Delegated Acts | Final provisions | Related EU law

Delegated acts and implementing acts
• The Commission shall adopt delegated acts
• A delegated act shall enter into force only if no objection has been expressed by either the
European Parliament or the Council within three months
Committee procedure
• The Commission shall be assisted by a committee
• Article 5 and 8 of Regulation (EU) No 182/2011 apply
Final provisions
• Directive 95/46/EC is repealed with effect from 25 May 2018.
• This Regulation shall not impose additional obligations on natural or legal persons in
relation to processing of information from social networks set out in Directive 2002/58/EC.
Relationship with previously concluded Agreements
• International agreements concluded prior to 24 May 2016 remain in force until replaced
• By 25 May 2020 the Commission shall submit a report on the evaluation and review of
this Regulation to the European Parliament and to the Council and make it public
• The Commission shall submit proposals to amend union laws to ensure consistency

Related EU law
• Personal data processing by EU institutions
• Governed by Regulation (EC) No 45/2001
• Processing of personal data by the Union institutions , bodies and agencies.
• Movement of data within the EU
• Movement of data within the EU: Article 290 TFEU delegated to the Commission.
• Personal data processing by National authorities
• Governed by Directive (EU) 2016/680
• Prevention, investigation, detection, prosecution of crimes; security threats
• Specific provisions for.anti-money laundering and forensic laboratories
• Personal data processing by Intermediary service providers
• Directive 2000/31/EC liability rules (Articles 12 to 15)
• Free movement of information society services between Member States.
• Consent to personal data processing:
• Council Directive 93/13/EEC: a declaration of consent must be intelligible, easily
accessible, in a clear and plain language w/o unfair terms.
• Confidential information collected for statistical purposes
• European statistics - Article 338(2) TFEU and national law (national statistics)
• Regulation (EC) No 223/2009: statistical confidentiality for European statistics.
• Reuse of public sector information
• Directive 2003/98/EC on reuse of public sector information
Regulation (EC) No 45/2001
Directive (EU) 2016/680
Directive 2000/31/EC
Article 338(2) TFEU
Regulation (EC) No 223/2009
Directive 2003/98/EC

ARETE-ZOE, as a consultancy, provides solutions to complex problems in the
high stakes and high consequence environment of Global Pharmaceuticals,
including clinical research, healthcare informatics, and public
health. We blend established, Pharma sector methodologies, innovation, and
adaptations/transfers from other sectors to identify and resolve consequential
practices that pose risk and often result in avoidable patient casualty. However,
we are specifically, not a patient advocacy group but believe in optimizing
organizational effectiveness and that smart business is agile, competitive and
profitable, while intrinsically safe, secure, and resilient. We work within a global
context because transnational interests influence national circumstances and
choices at point of prescription.
ARETE-ZOE, provides full spectrum organizational and operational risk
management consultancy. Our published materials provide a glimpse of some
aspects of our services to demonstrate both knowledge and ongoing participation
within the Pharmaceutical Industry. Our analysis and consultancy includes all
channels of misuse, diversion, counterfeiting and illicit exploitation of
pharmaceuticals, medical devices, and precursor chemicals. Our advisement is to
manufactures, jurisdictional entities, insurers, legislators, litigators, patients, and
health care providers.
This scope also frequently segues into the nexus of crime and terrorism as
significant influencers that undermine sector integrity differentiated from other
criminal activity. Obviously, vulnerability assessment, information collection
management and intelligence production supporting decision-making for risk
reduction and interventions are routinely within the scope of our services as well
as design and implementation of operational control measures.

Personal data protection in the EU

Recommended

Recommended

More Related Content

What's hot

What's hot (11)

Viewers also liked

Viewers also liked (20)

Similar to Personal data protection in the EU

Similar to Personal data protection in the EU (20)

More from Arete-Zoe, LLC

More from Arete-Zoe, LLC (20)

Recently uploaded

Recently uploaded (20)

Personal data protection in the EU