Presentation given at the DataGuidance´s webinar "Brazil: Towards Privacy Compliance", about the Brazlian Draft Bill for the Protection of Personal Data (Anteprojeto de Lei para a Proteção de Dados Pessoais) issued in January 2015, which introduced concepts such as Data Protection Officer and Binding Corporate Rules.
Information Security: The Trinidad & Tobago Legal ContextJason Nathu
Presentation to students completing the Information System Security, Ethics and Law of the Master of Information System & Technology Management at the Lok Jack Graduate School of Business on 12 July, 2015.
Introduction to EU General Data Protection Regulation: Planning, Implementati...Financial Poise
The GDPR changed the way the world collects, stores, and sends personal data.The GDPR is a broad EU regulation that requires businesses to protect the personal data of EU citizens, whether the business itself is in the EU or elsewhere. Since its implementation in 2018, companies that collect data on EU citizens must comply with strict rules for the protection of personal data or face heavy fines for non-compliance. This webinar will provide an overview of GDPR’s applicability and requirements, as well as how your organization may meet those standards.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/introduction-to-eu-general-data-protection-regulation-planning-implementation-and-compliance-2021/
This is a slightly modified version of a presentation that I gave to fellow lawyers last week. It explains what GDPR is, the policy of data protection and the evolution of data protection legislation from the OECD Guidelines and Council of Europe Convention to the GDPR. It explores the regulation focusing on the data protection principles and, in particular, the lawfulness requirement and the validity of consent. The presentation mentions the Law enforcement data protection directive, the Data Protection Bill and the arrangements post Brexit. Finally, it considers the preparations recommended by the Information Commissioner for small busiesses
GDPR is coming for you whether you’re ready or not. Companies must show compliance by May 25, 2018. Take a look at the presentation to learn more about the new law that is going to change the way data is handled across the world. Read about the how it affects you and the steps you can take to make sure you’re GDPR ready!
About Extentia Information Technology:
Extentia is a global technology and services firm that helps clients transform and realize their digital strategies. With a focus on enterprise mobility, cloud computing, and user experiences, Extentia strives to accomplish and surpass your business goals. Our team is differentiated by an emphasis on excellent design skills that we bring to every project. Extentia’s work environment and culture inspire team members to be innovative and creative, and to provide clients with an exceptional partnership experience.
www.extentia.com
Information Security: The Trinidad & Tobago Legal ContextJason Nathu
Presentation to students completing the Information System Security, Ethics and Law of the Master of Information System & Technology Management at the Lok Jack Graduate School of Business on 12 July, 2015.
Introduction to EU General Data Protection Regulation: Planning, Implementati...Financial Poise
The GDPR changed the way the world collects, stores, and sends personal data.The GDPR is a broad EU regulation that requires businesses to protect the personal data of EU citizens, whether the business itself is in the EU or elsewhere. Since its implementation in 2018, companies that collect data on EU citizens must comply with strict rules for the protection of personal data or face heavy fines for non-compliance. This webinar will provide an overview of GDPR’s applicability and requirements, as well as how your organization may meet those standards.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/introduction-to-eu-general-data-protection-regulation-planning-implementation-and-compliance-2021/
This is a slightly modified version of a presentation that I gave to fellow lawyers last week. It explains what GDPR is, the policy of data protection and the evolution of data protection legislation from the OECD Guidelines and Council of Europe Convention to the GDPR. It explores the regulation focusing on the data protection principles and, in particular, the lawfulness requirement and the validity of consent. The presentation mentions the Law enforcement data protection directive, the Data Protection Bill and the arrangements post Brexit. Finally, it considers the preparations recommended by the Information Commissioner for small busiesses
GDPR is coming for you whether you’re ready or not. Companies must show compliance by May 25, 2018. Take a look at the presentation to learn more about the new law that is going to change the way data is handled across the world. Read about the how it affects you and the steps you can take to make sure you’re GDPR ready!
About Extentia Information Technology:
Extentia is a global technology and services firm that helps clients transform and realize their digital strategies. With a focus on enterprise mobility, cloud computing, and user experiences, Extentia strives to accomplish and surpass your business goals. Our team is differentiated by an emphasis on excellent design skills that we bring to every project. Extentia’s work environment and culture inspire team members to be innovative and creative, and to provide clients with an exceptional partnership experience.
www.extentia.com
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Financial Poise
There is no federal law governing privacy and data security applicable to all US citizens. Rather, individual states and regulatory agencies have created a patchwork of protections that may overlap in certain industries.
This webinar provides an overview of the many privacy and data security laws and regulations which may impact your business, from the state law protecting personal information to regulations covering the financial services industry to state breach notification laws.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/introduction-to-us-privacy-and-data-security-2020/
An In House Counsel and Privacy Practitioners update on the changed regulatory landscape.
The Privacy and Data Protection Act 2014 received Royal Assent on 2 September 2014.
The new legislation replaces the Information Privacy Act 2000, and the Commissioner for Law Enforcement Data Security Act 2005, with a unified scheme governing the handling of personal information and data by Victorian Public sector agencies.
General Data Protection Regulation for OpsKamil Rextin
A brief on GDPR & Hubspot for Marketing & Marketing Ops.
This PPT provides a brief background on GDPR & how to implement GDPR compliance with Hubspot , Facebook & Google Analytics
Since the days of California's pioneering data breach notification law, virtually all states have implemented some form of consumer ID theft protection law. In 2008, the focus shifted to the east coast, when Massachusetts took it beyond notification, and issued their regulations for the protection of personal information, viewed by many as the most proscriptive in the US. This presentation will provide a general overview of state law, but focus on how the MA regulations evolved from the version issued in Sept 2008 to what became effective March 2010, how organizations are responding, and some potential implications for the future.
Allison Dolan, Program Director, Protecting Personally Identifiable Information, Massachusetts Institute of Technology
Allison F. Dolan is currently Program Director, Protecting Personally Identifiable Information at the Massachusetts Institute of Technology. This program is co-sponsored by the Institute Auditor and Vice President for Information Services and Technology (IS&T). Previously, Allison spent 10 years in IS&T, including roles as Director of Shared Services - Finance, Administration and HR, and as Director of Telephony Services. Allison’s MIT experience was preceded by 20 years of combined information systems, operational, and leadership experience at Eastman Kodak. Allison holds a BA degree from the University of Delaware, with a double major in Computer Science and Economics.
Explores:
1. Introduction to Privacy Regimes in the United States and Abroad
2. Mobile Applications and Devices
3. Lawful Collection and Use of “Big Data”
4. International Privacy and Cross-Border Data Transfers
5. Data Security Requirements and Data Breach Response
6. IT Outsourcing and the Cloud
7. Recent Developments and Emerging Issues
Our administrative and public law seminar covered:
- a review of the last 12 months in FOIA and a case law update
- scope of prerogative powers - what are they and what is the scope of them; the topic is very much in the news at the moment due to Brexit
- non EU treaty obligations of relevance to administrative law
- procurement in 2016 and beyond - current trends, updates and the impact of Brexit
- case law update on various areas of public law, including judicial review.
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Financial Poise
There is no federal law governing privacy and data security applicable to all US citizens. Rather, individual states and regulatory agencies have created a patchwork of protections that may overlap in certain industries.
This webinar provides an overview of the many privacy and data security laws and regulations which may impact your business, from the state law protecting personal information to regulations covering the financial services industry to state breach notification laws.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/introduction-to-us-privacy-and-data-security-2020/
An In House Counsel and Privacy Practitioners update on the changed regulatory landscape.
The Privacy and Data Protection Act 2014 received Royal Assent on 2 September 2014.
The new legislation replaces the Information Privacy Act 2000, and the Commissioner for Law Enforcement Data Security Act 2005, with a unified scheme governing the handling of personal information and data by Victorian Public sector agencies.
General Data Protection Regulation for OpsKamil Rextin
A brief on GDPR & Hubspot for Marketing & Marketing Ops.
This PPT provides a brief background on GDPR & how to implement GDPR compliance with Hubspot , Facebook & Google Analytics
Since the days of California's pioneering data breach notification law, virtually all states have implemented some form of consumer ID theft protection law. In 2008, the focus shifted to the east coast, when Massachusetts took it beyond notification, and issued their regulations for the protection of personal information, viewed by many as the most proscriptive in the US. This presentation will provide a general overview of state law, but focus on how the MA regulations evolved from the version issued in Sept 2008 to what became effective March 2010, how organizations are responding, and some potential implications for the future.
Allison Dolan, Program Director, Protecting Personally Identifiable Information, Massachusetts Institute of Technology
Allison F. Dolan is currently Program Director, Protecting Personally Identifiable Information at the Massachusetts Institute of Technology. This program is co-sponsored by the Institute Auditor and Vice President for Information Services and Technology (IS&T). Previously, Allison spent 10 years in IS&T, including roles as Director of Shared Services - Finance, Administration and HR, and as Director of Telephony Services. Allison’s MIT experience was preceded by 20 years of combined information systems, operational, and leadership experience at Eastman Kodak. Allison holds a BA degree from the University of Delaware, with a double major in Computer Science and Economics.
Explores:
1. Introduction to Privacy Regimes in the United States and Abroad
2. Mobile Applications and Devices
3. Lawful Collection and Use of “Big Data”
4. International Privacy and Cross-Border Data Transfers
5. Data Security Requirements and Data Breach Response
6. IT Outsourcing and the Cloud
7. Recent Developments and Emerging Issues
Our administrative and public law seminar covered:
- a review of the last 12 months in FOIA and a case law update
- scope of prerogative powers - what are they and what is the scope of them; the topic is very much in the news at the moment due to Brexit
- non EU treaty obligations of relevance to administrative law
- procurement in 2016 and beyond - current trends, updates and the impact of Brexit
- case law update on various areas of public law, including judicial review.
Directiva Comúnitaria Proteção dados Pessoais = Objectivo da Directiva Comunitária dados pessoais + Requisitos das organização para compliance com a regulamentação + Como o fabricante Sophos pode ajudar a estar compliance com a regulamentação
How GDPR works : companies will be expected to be
fully compliant from 25 May 2018. The regulation
is intended to establish one single set of data
protection rules across Europe
Introduction to EU General Data Protection Regulation: Planning, Implementat...Financial Poise
The GDPR changed the way the world collects, stores, and sends personal data. The GDPR is a broad EU regulation that requires businesses to protect the personal data of EU citizens, whether the business itself is in the EU or elsewhere. Since its implementation in 2018, companies that collect data on EU citizens must comply with strict rules for the protection of personal data or face heavy fines for non-compliance. This webinar will provide an overview of GDPR’s applicability and requirements, as well as how your organization may meet those standards.
GDPR clinic - A strategic approach for compliance with the European General Data Protection regulation
Paolo Balboni Ph.D. - Founding Partner at ICT Legal Consulting & President of the European Privacy Association
Nicola Franchetto LL.M. - Associate at ICT Legal Consulting &
Fellow of the European Privacy Association
The Evolution of Data Privacy - A Symantec Information Security Perspective o...Symantec
The European Union’s proposed General Data Protection Regulation (GDPR) has left even the most informed confused. This new regulation is designed to update the current legislation which was drafted in a time that was in technology terms, prehistoric.
The Data Protection Directive, drafted back in 1995, harks back to a time when data processing was more about filing
cabinets than data rack enclosures. It’s time to evolve.
Data has emerged as one of the most important resources of today's world. However, there does not exist clear rules on how to make use of this resource. There are spillover effects and negative externalities in the form of privacy breaches while exploiting this resource. In such a situation, what should be the legal remedy?
The law should find a balance between the interests of the customers and the corporations. The customers want safety and privacy, whereas corporations want commercial use of data which risks the customer's interests.
Article 9: Special categories of data
Special categories of data are sensitive information about individual and need more protection.
Individuals‘ rights and freedoms are at increased risk when this type of data is processing. It may put them at risk of unlawful discrimination.
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
Right to Privacy and its Legal Framework, The Concept of Privacy, National Legal
Framework for Protecting Privacy, International Legal Framework for Protecting Privacy, Privacy Related Wrongs and Remedies, Data Security, The Concept of Security in Cyberspace, Technological Vulnerabilities, Legal Response to Technological
Vulnerabilities, Security Audit (VA/PT), Data Protection, Data Protection Position in
India, Privacy Policy, Emerging Issues in Data Protection and Privacy, BPOs and
Legal Regime in India, Protect Kids' Privacy Online, Evolving Trends in Data Protection and Information Security
Data Protection Guide – What are your rights as a citizen?Edouard Nguyen
Guide UK Data Protection Law EUROPA - Internal Market - Data Protection - Data Protection Guide – What are your rights as a citizen?http://ec.europa.eu/justice/policies/privacy/docs/guide/guide-ukingdom_en.pdf
Reflexão geral sobre a responsabilidade dos agentes no tratamento aos dados p...Renato Monteiro
Seminário sobre responsabilidade dos agentes encarregados no tratatamento de dados pessoais no Brasil, apresentado no VI Seminário sobre Proteção à Privacidade e aos Dados Pessoais, organizado pelo Comitê Gestor da Internet Brasil (CGI.br): http://seminarioprivacidade.cgi.br/
http://seminarioprivacidade.cgi.br/files/ApresentacaoRenatoLeiteMonteiro.pdf
Proteção de dados pessoais e o Marco Civil da InternetRenato Monteiro
Palestra de encerramento do evento Mind The Sec (http://mindthesec.com.br/), em agosto de 2015, onde abordei o panorama jurídico sobre proteção de dados existe à época e as tendências para futuras regulamentações.
Medical technologies and data protection issues - food for thoughtRenato Monteiro
Document prepared towards the modernization procedure of Council of Europe´s Convention 108 on the Protection of Personal Data. Available at: http://www.coe.int/t/dghl/standardsetting/dataprotection/TPD_documents/T-PD-BUR%282014%2904Rev%20-%20Medical%20Data%20%28By%20Renato%20Leite%29.pdf
Medical technologies and data protection issues - food for thoughtRenato Monteiro
Document prepared towards the modernization procedure of Council of Europe´s Convention 108 on the Protection of Personal Data. Available at: http://www.coe.int/t/dghl/standardsetting/dataprotection/TPD_documents/T-PD-BUR%282014%2904Rev%20-%20Medical%20Data%20%28By%20Renato%20Leite%29.pdf
DNA Testing in Civil and Criminal Matters.pptxpatrons legal
Get insights into DNA testing and its application in civil and criminal matters. Find out how it contributes to fair and accurate legal proceedings. For more information: https://www.patronslegal.com/criminal-litigation.html
Military Commissions details LtCol Thomas Jasper as Detailed Defense CounselThomas (Tom) Jasper
Military Commissions Trial Judiciary, Guantanamo Bay, Cuba. Notice of the Chief Defense Counsel's detailing of LtCol Thomas F. Jasper, Jr. USMC, as Detailed Defense Counsel for Abd Al Hadi Al-Iraqi on 6 August 2014 in the case of United States v. Hadi al Iraqi (10026)
ALL EYES ON RAFAH BUT WHY Explain more.pdf46adnanshahzad
All eyes on Rafah: But why?. The Rafah border crossing, a crucial point between Egypt and the Gaza Strip, often finds itself at the center of global attention. As we explore the significance of Rafah, we’ll uncover why all eyes are on Rafah and the complexities surrounding this pivotal region.
INTRODUCTION
What makes Rafah so significant that it captures global attention? The phrase ‘All eyes are on Rafah’ resonates not just with those in the region but with people worldwide who recognize its strategic, humanitarian, and political importance. In this guide, we will delve into the factors that make Rafah a focal point for international interest, examining its historical context, humanitarian challenges, and political dimensions.
How to Obtain Permanent Residency in the NetherlandsBridgeWest.eu
You can rely on our assistance if you are ready to apply for permanent residency. Find out more at: https://immigration-netherlands.com/obtain-a-permanent-residence-permit-in-the-netherlands/.
RIGHTS OF VICTIM EDITED PRESENTATION(SAIF JAVED).pptxOmGod1
Victims of crime have a range of rights designed to ensure their protection, support, and participation in the justice system. These rights include the right to be treated with dignity and respect, the right to be informed about the progress of their case, and the right to be heard during legal proceedings. Victims are entitled to protection from intimidation and harm, access to support services such as counseling and medical care, and the right to restitution from the offender. Additionally, many jurisdictions provide victims with the right to participate in parole hearings and the right to privacy to protect their personal information from public disclosure. These rights aim to acknowledge the impact of crime on victims and to provide them with the necessary resources and involvement in the judicial process.
NATURE, ORIGIN AND DEVELOPMENT OF INTERNATIONAL LAW.pptxanvithaav
These slides helps the student of international law to understand what is the nature of international law? and how international law was originated and developed?.
The slides was well structured along with the highlighted points for better understanding .
Introducing New Government Regulation on Toll Road.pdfAHRP Law Firm
For nearly two decades, Government Regulation Number 15 of 2005 on Toll Roads ("GR No. 15/2005") has served as the cornerstone of toll road legislation. However, with the emergence of various new developments and legal requirements, the Government has enacted Government Regulation Number 23 of 2024 on Toll Roads to replace GR No. 15/2005. This new regulation introduces several provisions impacting toll business entities and toll road users. Find out more out insights about this topic in our Legal Brief publication.
A "File Trademark" is a legal term referring to the registration of a unique symbol, logo, or name used to identify and distinguish products or services. This process provides legal protection, granting exclusive rights to the trademark owner, and helps prevent unauthorized use by competitors.
Visit Now: https://www.tumblr.com/trademark-quick/751620857551634432/ensure-legal-protection-file-your-trademark-with?source=share
1. Draft Bill of Law on the Protection of Personal Data
RENATO L. MONTEIRO
2. 2
Brazil – Sectorial legislation
PROVISIONAL MEASURE 2.200/2001: digital certification;
FEDERAL LAW 8.078/1990: Consumer Code, which regulates consumer databases;
FEDERAL LAW 9.983/2000: crime of inserting false data in public administration information
systems;
COMPLEMENTARY LAW 105/2001: regulates confidentiality with the financial system;
FEDERAL LAW 10.406/2002: civil code, which regulates personalities rights
FEDERAL LAW 12.414/2011: addresses the issue of protection of personal data within credit
protection database;
FEDERAL LAW 12.527/2011: right to access to information stored in public databases;
FEDERAL LAW 12.551/2011: addressees the issue of teleworking within Labor Legislation;
FEDERAL LAW 12.737/2012: crime of invading computer devices (C. Dieckmann);
DECREE 7.962/2013: e-commerce changes to the Consumer Code;
FEDERAL LAW 12.846/2013: anticorruption act (Clean Company Act)
FEDERAL LAW 12.965/2014: Brazilian Civil Rights Framework for the Internet
3. 3
The Civil Rights Framework for the Internet
and the digital compliance
Almost every company that has a
website or collects personal data
electronically is obligated to comply
with Brazilian rules.
• “The Civil Rights Framework
for the Internet necessarily
reinforces the need of
compliance with information
security principles and unveil
the need of establishing a
privacy compliance structure”
It’s good to know that the need of creating a privacy compliance structure is going to
be reinforced by specific federal legislation about the protection of personal data,
which the draft’s main points we will exposed herein.
4. 4
Protection of Personal Data (Draft Bill of Law)
The public debate for the drafting
of the data protection bill is
opened until July 5th. Everyone is
welcome to participate and
collaborate on the elaboration of
an innovative and protective new
text.
The proposed discussion aims on
the strengthening of fundamental
rights while encouraging
innovation and tackling
challenging global issues.
5. 5
Protection of Personal Data (Draft Bill of Law)
• Jurisdiction;
• Scope of application;
• Personal data;
• Sensitive data;
• Consent (exemptions);
• Data subject´s rights;
• Data Protection Authority;
• Privacy Officer;
• International data transfers;
• Binding Corporate Rules – BCRs;
• Global corporate rules;
• Data breaches and notification
requirements
• Liability;
• Penalties;
• Vacatio Legis.
"Consent is the key-point of the law"
6. 6
Jurisdiction and scope
• Jurisdiction: the law shall be applied to any processing operations performed through
totally or partially automated means, by a natural person or by a legal person under
public or private law, regardless of:
• the country where the natural or legal person are located; and
• the country where the database is located, provided that:
I - The processing operation is performed within the national territory; or
II - The personal data subject to processing have been collected within the
national territory (data subject must be in Brazil at the time of collection,
regardless of his/her nationality).
• Scope: the law shall not be applied to:
• any data processing that is:
I - Performed by a natural person for exclusively personal purposes; or
II - Performed for exclusively journalistic purposes.
III- Public safety, defense, State security, public investigation activities an
the repression of criminal offences (general principles).
7. 7
Personal data
• Personal data: the concept of personal data was widened when compared to the
previous version of the text. It has been influenced by current discussions in Europe
towards updating the data protection legal framework;. The current definition of the
Brazilian law is based on the EU Regulation:
any data related to an identified or identifiable natural person, including
identification numbers, location data, or electronic identifiers
• Sensitive data: sensitive data can now be collected, treated and processed in more
cases, as long as there is proper consent, which has received some guidelines on the
text and must be different and separate from the regular consent; The forthcoming
DPA will have the authority to issue some additional requirements. But at
the moment, when law goes into effect, there might not be some
issued additional requirements. Nonetheless, the consent must be different from the
method used for regular personal data.
• Anonymous data: there is an ongoing trend to consider anonymous data as personal
data regarding the protections listed on the draft bill.
8. 8
Consent
Consent: the requirements to obtain consent and which information must be given to
the subject have been broadened. The specific purpose to collect and process the
data must be informed to the subject prior to obtaining his consent. When consent
is given, the data subject shall be clearly, adequately, and ostensibly informed about the
following points:
I - Specific purpose of the processing;
II - Form and duration of the processing;
III - Identification of the controller;
IV - Controller's contact data;
V - subjects or categories of subjects to whom the data can be communicated, as
well as the scope
of disclosure;
VI - Responsibilities of the agents that will perform the processing; and
VII - data subject's rights
Right to denial: subjects have the right to deny the collection of their personal data
without limiting their access to the services, with some exceptions;
9. 9
Consent exemptions
Consent is exempt in the case of:
• unrestricted public access data
• legal obligation by the controller;
• Data shared by public authorities;
• Contractual obligations;
• historical, scientific, or statistical research, ensuring,
whenever possible, the dissociation of the personal data;
• The regular exercise of rights in legal or administrative
proceedings;
• life or physical safety;
• Healthcare;
• Legitimate interests?
10. 10
Data subject´s rights
The personal data subject is entitled to obtaining:
• Confirmation of the existence of data processing;
• Access to the data (interoperable and open format);
• Correction of incomplete, inaccurate, or outdated data;
• (anonymization) dissociation, blocking, or cancellation of
unnecessary or excessive data;
• Data portability???
• Right to opposition;
• Right to review: the data subject is entitled to request a review of
decisions based solely on automated processing of personal data and
that affect their interests, including decisions aimed at defining their
profile or evaluate aspects of their personality.
• The controller shall provide, whenever requested, adequate
information about the criteria and procedures used for the
automated decision.
11. 11
Data Protection Authority
• Data Protection Authority: the previous version of the text
clearly created a separate and independent data protection
authority. The new version excluded this chapter of the text,
referring to a “competent authority”, without defining what
will constitute it.
• Privacy Officer: companies will have to employ Privacy
Officers who will be responsible to overview the compliance
with the law and also serve as a bridge between the company
and the “competent authority”; The previous version of the bill
had set a minimum size of 200 employees. The current version
does not set this bottom line, but it might be further regulation
by the DPA.
13. 13
International Data Transfers
• Adequate level of protection: international transfer of personal data is only
allowed for countries that provide a level of protection for personal data that is
equivalent to the level established in this Law, with some exceptions:;
• Binding Corporate Rules – BCRs: a long standing tool in the EU data
protection system, Binding Corporate Rules are now included on the new
version of the text, what can broadly enhance the flow of data until the
Brazilian legal system adapts itself to the new data protection environment;
• Global corporate rules: the possibility of data flow within the same corporate
structure was also tackled on the new version of the project;
• Special and specific consent: in the case of countries that do not provide a
level of protection, transfer is possible through a specific statement, different
from the consent pertaining to other processing operations; and with prior
and specific information about the international nature of the operation,
including a warning about the risks involved
14. 14
Liability
• Data breaches and notification
requirements: The controller shall
immediately report any security incident
which might damage the data subjects to the
competent body. Prompt notification to the
data subjects affected by the security
incident shall be mandatory, regardless of
the competent body's decision, in cases in
which the incident endangers the data
subjects' personal safety or can damage
them.
• Liability: The current version sets that both
the data processor and the data controller
can be held liable for mishandling personal
data. Subsidiary liability refers to the need to
prove that the company was at fault when
mishandling the data.
• Penalties: may be cumulatively applied. Non
compliance with the law may lead to:
• A simple or daily fine;
• The disclosure of the breach;
• Dissociation of the personal data;
• Blocking of the personal data;
• Suspension of the processing of
personal data for a period no longer
than two years;
• Cancellation of the personal data;
• Prohibition of the processing of
sensitive personal data for a period no
longer than ten years; and
• Prohibition of database operation for a
period no longer than ten years.
• Vacatio Legis: companies will now have
120 days from the implementation of the law
to adapt to the new data protection
rules. But there is no estimation of time. It
might take some years.