This document provides an overview of GDPR requirements for data collection and processing by non-profit organizations. It discusses the key questions non-profits need to ask themselves to be compliant, including what personal data they collect, if their processing is documented, who is responsible for compliance, if they are transparent about collection, and if they ever delete data. It covers topics like the definition of personal data, requirements for documentation and record keeping, designating a data protection officer, obtaining consent, and having a privacy policy. The document aims to help non-profits understand their obligations under GDPR for fundraising activities.
The Personal Data Protection Bill 2018 is to be presented before the Parliament shortly with necessary amendments .This is bill applicable to India in lines of GDPR of the European uinion
THE BRAZILIAN LAW ON PERSONAL DATA PROTECTIONIJNSA Journal
Rapid technological change and globalization have created new challenges when it comes to the protection and processing of personal data. In 2018, Brazil presented a new law that has the proposal to inform how personal data should be collected and treated, to guarantee the security and integrity of the data holder. The General Law Data Protection - LGPD, was sanctioned on September 18th, 2020. Now, the citizen is the owner of his personal data, which means that he has rights over this information and can demand transparency from companies regarding its collection, storage, and use. This is a major change and, therefore, extremely important that everyone understands their role within LGPD. The purpose of this paper is to emphasize the principles of the General Law on Personal Data Protection, informing real cases of leakage of personal data and thus obtaining an understanding of the importance of gains that meet the interests of Internet users on the subject and its benefits to the entire Brazilian society.
Published in the European Official Journal on May 4 2016 and become effective on May 24 2016, at a distance of two years, the legislation that will reform the European legislation on protection of data, matches its direct implementation in Italy.
The General Data Protection Regulation, better known as GDPR, will enter into force on May 25 2018: the legislation is going to make a significant change on how data is managed and protected by – and from - private companies.
The Personal Data Protection Bill 2018 is to be presented before the Parliament shortly with necessary amendments .This is bill applicable to India in lines of GDPR of the European uinion
THE BRAZILIAN LAW ON PERSONAL DATA PROTECTIONIJNSA Journal
Rapid technological change and globalization have created new challenges when it comes to the protection and processing of personal data. In 2018, Brazil presented a new law that has the proposal to inform how personal data should be collected and treated, to guarantee the security and integrity of the data holder. The General Law Data Protection - LGPD, was sanctioned on September 18th, 2020. Now, the citizen is the owner of his personal data, which means that he has rights over this information and can demand transparency from companies regarding its collection, storage, and use. This is a major change and, therefore, extremely important that everyone understands their role within LGPD. The purpose of this paper is to emphasize the principles of the General Law on Personal Data Protection, informing real cases of leakage of personal data and thus obtaining an understanding of the importance of gains that meet the interests of Internet users on the subject and its benefits to the entire Brazilian society.
Published in the European Official Journal on May 4 2016 and become effective on May 24 2016, at a distance of two years, the legislation that will reform the European legislation on protection of data, matches its direct implementation in Italy.
The General Data Protection Regulation, better known as GDPR, will enter into force on May 25 2018: the legislation is going to make a significant change on how data is managed and protected by – and from - private companies.
From 25 May 2018 all public bodies must have a Data Protection Officer (DPO). The DPO must have ‘expert’ knowledge of both data protection law and practice. This session is directed at individuals within public sector organisations who will be acting as DPO, their deputies and those advising them.
Visit our website for more useful resources - https://www.brownejacobson.com/sectors-and-services/sectors/public-sector
GDPR for public sector DPO's seminar, April 2018, ManchesterBrowne Jacobson LLP
From 25 May 2018 all public bodies must have a Data Protection Officer (DPO). The DPO must have ‘expert’ knowledge of both data protection law and practice. This session is directed at individuals within public sector organisations who will be acting as DPO, their deputies and those advising them.
Visit our website for more useful resources - https://www.brownejacobson.com/sectors-and-services/sectors/public-sector
From 25 May 2018 all public bodies must have a Data Protection Officer (DPO). The DPO must have ‘expert’ knowledge of both data protection law and practice. This session is directed at individuals within public sector organisations who will be acting as DPO, their deputies and those advising them.
Visit our website for more useful resources - https://www.brownejacobson.com/sectors-and-services/sectors/public-sector
From 25 May 2018 all public bodies must have a Data Protection Officer (DPO). The DPO must have ‘expert’ knowledge of both data protection law and practice. This session is directed at individuals within public sector organisations who will be acting as DPO, their deputies and those advising them.
Visit our website for more useful resources - https://www.brownejacobson.com/sectors-and-services/sectors/public-sector
Applying the Personal Data Protection Act (Singapore)Benjamin Ang
Presented at a workshop for the Internet Society Singapore Chapter in May 2013. Visit techmusicartandlaw.blogspot.com to contact the author, or www.isoc.sg to find out more about the Internet Society in Singapore
This presentation deals with insights on how an offshore IT organization has to get ready to align with General Data Protection Regulation issued by European union
Presentation at the CPPP conference 2020 on the core issues SMEs and SME Associations have identified in applying the GDPR. This research work has been developed within the STAR II project.
Are blockchain and EU-GDPR compatible? This presentation from 2020, from Dennis Hillemann (Podcast: The Blockchain lawyer), explains the most important legal challenges. The presentation explains:
- What are basic principles of GDPR?
- What are basic functionalities of the blockchain technology?
- What main issues are there between GDPR and blockchain technology?
- What is personal data in a blockchain scenario?
- Personal data & encryption and & hashing
- Salting and Peppering
- Data processor and controller in a blockchain scneario
- Right to rectification and right to erasure
- Transfer to third countries
- National and internatinal activities to bring Blockchain and GDPR together.
The European General Data Protection Law (also known as EU-DSGVO) becomes effective as of May 25 and is of VITAL importance.
In the easiest sense it’s important as it involves fines of up to 2 million Euros or 4% of worldwide turnover (whatever scares you more). Fines not only come into play upon actual data loss, but already if data *could* get lost and for a variety of other reasons. This session covers the most important GDPR topics, both for companies in the European Union and for companies doing business with European companies or citizens. We will also be looking at whether it makes a difference if you are a one person shop or multinational business.
Records Retention and Destruction Policies 2015Richard Austin
Overview of records retention and destruction policies including why have an RRDP, issues to consider in developing an RRDP and steps in developing an RRDP
Presentation on the Controller-to-Processor agreements under GDPR, with a main focus on article 28 GDPR and some reference to the standard contractual clauses for Controller-to-Processor agreements as established in 2010 (which are soon to be adapted).
Asia Counsel Vietnam summarises the long awaited Decree 13 on data protection. We provide useful steps to get prepared and comply with the new provisions which will take effect on 1 July 2023.
From 25 May 2018 all public bodies must have a Data Protection Officer (DPO). The DPO must have ‘expert’ knowledge of both data protection law and practice. This session is directed at individuals within public sector organisations who will be acting as DPO, their deputies and those advising them.
Visit our website for more useful resources - https://www.brownejacobson.com/sectors-and-services/sectors/public-sector
GDPR for public sector DPO's seminar, April 2018, ManchesterBrowne Jacobson LLP
From 25 May 2018 all public bodies must have a Data Protection Officer (DPO). The DPO must have ‘expert’ knowledge of both data protection law and practice. This session is directed at individuals within public sector organisations who will be acting as DPO, their deputies and those advising them.
Visit our website for more useful resources - https://www.brownejacobson.com/sectors-and-services/sectors/public-sector
From 25 May 2018 all public bodies must have a Data Protection Officer (DPO). The DPO must have ‘expert’ knowledge of both data protection law and practice. This session is directed at individuals within public sector organisations who will be acting as DPO, their deputies and those advising them.
Visit our website for more useful resources - https://www.brownejacobson.com/sectors-and-services/sectors/public-sector
From 25 May 2018 all public bodies must have a Data Protection Officer (DPO). The DPO must have ‘expert’ knowledge of both data protection law and practice. This session is directed at individuals within public sector organisations who will be acting as DPO, their deputies and those advising them.
Visit our website for more useful resources - https://www.brownejacobson.com/sectors-and-services/sectors/public-sector
Applying the Personal Data Protection Act (Singapore)Benjamin Ang
Presented at a workshop for the Internet Society Singapore Chapter in May 2013. Visit techmusicartandlaw.blogspot.com to contact the author, or www.isoc.sg to find out more about the Internet Society in Singapore
This presentation deals with insights on how an offshore IT organization has to get ready to align with General Data Protection Regulation issued by European union
Presentation at the CPPP conference 2020 on the core issues SMEs and SME Associations have identified in applying the GDPR. This research work has been developed within the STAR II project.
Are blockchain and EU-GDPR compatible? This presentation from 2020, from Dennis Hillemann (Podcast: The Blockchain lawyer), explains the most important legal challenges. The presentation explains:
- What are basic principles of GDPR?
- What are basic functionalities of the blockchain technology?
- What main issues are there between GDPR and blockchain technology?
- What is personal data in a blockchain scenario?
- Personal data & encryption and & hashing
- Salting and Peppering
- Data processor and controller in a blockchain scneario
- Right to rectification and right to erasure
- Transfer to third countries
- National and internatinal activities to bring Blockchain and GDPR together.
The European General Data Protection Law (also known as EU-DSGVO) becomes effective as of May 25 and is of VITAL importance.
In the easiest sense it’s important as it involves fines of up to 2 million Euros or 4% of worldwide turnover (whatever scares you more). Fines not only come into play upon actual data loss, but already if data *could* get lost and for a variety of other reasons. This session covers the most important GDPR topics, both for companies in the European Union and for companies doing business with European companies or citizens. We will also be looking at whether it makes a difference if you are a one person shop or multinational business.
Records Retention and Destruction Policies 2015Richard Austin
Overview of records retention and destruction policies including why have an RRDP, issues to consider in developing an RRDP and steps in developing an RRDP
Presentation on the Controller-to-Processor agreements under GDPR, with a main focus on article 28 GDPR and some reference to the standard contractual clauses for Controller-to-Processor agreements as established in 2010 (which are soon to be adapted).
Asia Counsel Vietnam summarises the long awaited Decree 13 on data protection. We provide useful steps to get prepared and comply with the new provisions which will take effect on 1 July 2023.
Key Issues on the new General Data Protection RegulationOlivier Vandeputte
The General Data Protection Regulation is one of the most wide ranging pieces of legislation passed by the EU in recent years. The GDPR comes into effect on 25 May 2018. The new framework is ambitious, complex and strict. It presents any organization that has so far failed to begin preparations with a steep challenge to become GDPR compliant in time.
We have summarized the key issues in our GDPR brochure.
LAWYER IN VIETNAM DR OLIVER MASSMANN NEW DRAFT DECREE ON PERSONAL DATA PROTEC...Dr. Oliver Massmann
LAWYER IN VIETNAM DR OLIVER MASSMANN NEW DRAFT DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE BASIC AND GUIDANCE ON PRACTICAL HANDLING
These are the slides used in the presentation I gave alongside Haydn Thomas and Andrew Cross from Lightful.
The presentation was to help charities understand the most pressing implications of GDPR as well from an operational and marketing standpoint.
You can find out more about our organisations here:
https://tech-trust.org/
https://www.lightful.com/
https://www.meetup.com/netsquaredlondon/
The Personal Data Protection Bill, 2019 as introduced in Lok Sabha has been referred to a Joint Parliamentary Committee of both the Houses, under the Chairperson of Smt. Meenakshi Lekhi (New Delhi) M.P. for examination and Report.
It has been decided to seek views and suggestions on the Bill from individuals and associations/bodies concerned.
This is critical review of the same and suggestions submitted to JPC
It, Legal, Marketing and sales departments are all affected by the European Union's General Data Protection Regulation (EU GDPR). EU GDPR is more than an IT governance issue, it impacts the IT architecture and the user journey of your online and offline data capture processes.
General Data Protection Regulation or GDPRNupur Samaddar
General Data Protection Regulation or GDPR,he way companies across the world will handle their customers' personal information and creating strengthened and unified data protection for all individuals within the EU.
The recent Facebook-Cambridge Analytica scandal has stirred heated discussions on privacy around the globe. An estimated 87 million people are affected by the data breach. Although the majority of the affected users are in the United States, Facebook published that personal data of over 1 million users in the Philippines, United Kingdom, and Indonesia are also compromised.
For the people who ratified the General Data Protection Regulation (GDPR), the answer is a resounding NO.
As Reinis Papulis of KRONBERGS ČUKSTE DERLING points out, “today’s level of technological development and role of personal data in the provision of various services has made it impossible to ensure the protection of personal data (privacy of individuals) at an adequate level with a legal act that was adopted in the second half of the 90's.”
This has prompted the EU to overhaul its defences against data breaches. Technology changes fast and data collection is at its peak today. Out of the necessity to protect consumers and uphold data privacy, the General Data Protection Regulation is set to be in full effect beginning May 25, 2018.
The battle for data privacy is not lost. And the enforcement of GDPR shows that we can still put up a good fight against companies that treat our personal data as commodities. However, there’s still a long way ahead of us.
Compliance met de Richtlijn ConsumentenrechtenPatrick Jordens
Presentatie DMCC Nederland van 14 maart 2014 voor de Klantenservice Federatie.
Inhoud:
1.Telefonische verkoop op initiatief van de handelaar
2.Schriftelijkheidsvereiste na TM (in relatie tot SEPA)
3.Beleidskeuze
4.Praktijkuitwerking
Compliance met de Gedragscode Telemarketing 2012. In deze presentatie van DMCC Nederland wordt zowel de Gedragscode Telemarketing als de Reclamecode Telemarekting behandeld. Wat zijn de gevolgen voor de praktijk?
Een presentatie over duurzaam leden en donateurs werven. Hoe pak je dit aan? DMCC Nederland vertelt in deze presentatie hoe respect voor de consument zich uitbetaalt in loyalere donateurs en lagere uitval op de werving
Acorn Recovery: Restore IT infra within minutesIP ServerOne
Introducing Acorn Recovery as a Service, a simple, fast, and secure managed disaster recovery (DRaaS) by IP ServerOne. A DR solution that helps restore your IT infra within minutes.
0x01 - Newton's Third Law: Static vs. Dynamic AbusersOWASP Beja
f you offer a service on the web, odds are that someone will abuse it. Be it an API, a SaaS, a PaaS, or even a static website, someone somewhere will try to figure out a way to use it to their own needs. In this talk we'll compare measures that are effective against static attackers and how to battle a dynamic attacker who adapts to your counter-measures.
About the Speaker
===============
Diogo Sousa, Engineering Manager @ Canonical
An opinionated individual with an interest in cryptography and its intersection with secure software development.
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...Orkestra
UIIN Conference, Madrid, 27-29 May 2024
James Wilson, Orkestra and Deusto Business School
Emily Wise, Lund University
Madeline Smith, The Glasgow School of Art
This presentation, created by Syed Faiz ul Hassan, explores the profound influence of media on public perception and behavior. It delves into the evolution of media from oral traditions to modern digital and social media platforms. Key topics include the role of media in information propagation, socialization, crisis awareness, globalization, and education. The presentation also examines media influence through agenda setting, propaganda, and manipulative techniques used by advertisers and marketers. Furthermore, it highlights the impact of surveillance enabled by media technologies on personal behavior and preferences. Through this comprehensive overview, the presentation aims to shed light on how media shapes collective consciousness and public opinion.
This presentation by Morris Kleiner (University of Minnesota), was made during the discussion “Competition and Regulation in Professions and Occupations” held at the Working Party No. 2 on Competition and Regulation on 10 June 2024. More papers and presentations on the topic can be found out at oe.cd/crps.
This presentation was uploaded with the author’s consent.
Have you ever wondered how search works while visiting an e-commerce site, internal website, or searching through other types of online resources? Look no further than this informative session on the ways that taxonomies help end-users navigate the internet! Hear from taxonomists and other information professionals who have first-hand experience creating and working with taxonomies that aid in navigation, search, and discovery across a range of disciplines.
2. New obligations under the GDPR
In 5 questions
- What data do you collect
- Is this documented
- Who’s responsible
- Are you transparant about your collection
- Do you ever delete data
But first:
Some privacy basics
Today’s program
2 www.dmcc.nl
4. Personal data
4 www.dmcc.nl
Privacy = processing of personal data
• Processing
• Personal data
Personal data (Art 1 GDPR): any information relating to an identified or identifiable
natural person (‘data subject’); an identifiable natural person is one who can be
identified, directly or indirectly, in particular by reference to an identifier such as a name,
an identification number, location data, an online identifier or to one or more factors
specific to the physical, physiological, genetic, mental, economic, cultural or social
identity of that natural person.
Special categories of personal data (Art. 9/ 10 GDPR): data revealing racial or ethnic origin,
political opinions, religious or philosophical beliefs, trade union membership, genetic
data, biometric data for the purpose of uniquely identifying a natural person, data
concerning health or data concerning a natural person's sex life or sexual orientation,
data relating to criminal convictions and offences.
8. Personal data
8 www.dmcc.nl
Where point (a) of Article 6(1) applies, in
relation to the offer of information society
services directly to a child, the processing of
the personal data of a child shall be lawful
where the child is at least 16 years old.
Where the child is below the age of 16
years, such processing shall be lawful only if
and to the extent that consent is given or
authorised by the holder of parental
responsibility over the child.
Member States may provide by law for a
lower age for those purposes provided that
such lower age is not below 13 years.
10. Register of processings
10 www.dmcc.nl
1. Each controller and, where applicable, the controller's representative, shall maintain
a record of processing activities under its responsibility. That record shall contain all of
the following information:
a. the name and contact details of the controller and, where applicable, the joint
controller, the controller's representative and the data protection officer;
b. the purposes of the processing;
c. a description of the categories of data subjects and of the categories of personal
data;
d. the categories of recipients to whom the personal data have been or will be
disclosed including recipients in third countries or international organisations;
e. where applicable, transfers of personal data to a third country or an international
organisation, including the identification of that third country or international
organisation and, in the case of transfers referred to in the second subparagraph of
Article 49(1), the documentation of suitable safeguards;
f. where possible, the envisaged time limits for erasure of the different categories of
data;
g. where possible, a general description of the technical and organisational security
measures referred to in Article 32(1).
11. Data mapping
11 www.dmcc.nl
Fundraising
➢Donor administration
➢Volunteer administration
➢Collection
➢Petitions
➢Patient association
➢Patient/ member travels
➢Website(s) en action pages
➢News letter registrars
➢Legacies
➢Major donors
➢affiliates
➢Social media
➢Cookies
➢Analytics
Projects
➢ Project management
➢ Investments
➢ Investee/ Investor due
dilligence
HRM
➢Personell administration
➢Payroll
➢Social security
➢Learning management
➢Time and attendance
Finance
➢ Creditors
➢ Debtors
➢ Beneficiaries
➢ Billing
➢ Reporting
12. 12
Donor Ex donor participant Prospect Site visitor Beschikbaarheid Vertrouwelijkheid
Adress detaiils X X X X
E-mail X X X X
Gender X X X X
Data of birth X X
Contact and order history X X X X
Data regarding payments,
transactions etc
X X X X x
Financial data X X X
Derived financial data X X X
Lifestyle characteristics, prifile
information
X X
Special categories of data
Data mapping
13. 13
Partij 1 Partij 1
Partij 1
Intern beheerd Partij 2
Externally managed
Partij 1
Partij 2
Partij 3
Inernally managed Externaly managed
Internally managed
Retention
Data analyses
Customer
(data warehouse)
Customer
database
Online accounts
Single Customer View
(selection tool)
(database marketing en
sales trial and ex-
subscribers)
e-mail tool sales
and marketing
Blacklist
opt-out requests
(automated
dialer)
websites/
landing pages
Data
enrichment
and validation
Telemarketing
E-mail Direct mail
(field marketing
tool) Direct sales
Data mapping
16. DPA (Art. 28 GDPR)
Governance
16 www.dmcc.nl
Processing by a processor shall be governed by a contract or other legal act under Union
or Member State law, that is binding on the processor with regard to the controller and
that sets out the subject-matter and duration of the processing, the nature and purpose
of the processing, the type of personal data and categories of data subjects and the
obligations and rights of the controller. That contract or other legal act shall stipulate, in
particular, that the processor:
a. operates under clear instructions
b. ensures confidentiallity;
c. takes appropriate security measures
d. will inform about any sub processors
e. helps the controller respond to requests from data subjects
f. assists the controller in ensuring compliance
g. at the choice of the controller, deletes or returns all the personal data to the
controller after the end of the provision of services relating to processing
h. makes available to the controller all information necessary to demonstrate
compliance with the obligations laid down in this Article and allow for and contribute
to audits, including inspections, conducted by the controller or another auditor
mandated by the controller.
17. DPO (Art 37 GDPR)
Governance
17 www.dmcc.nl
The controller and the processor shall designate a data protection officer in any case
where:
a. the processing is carried out by a public authority or body, except for courts acting in
their judicial capacity;
b. the core activities of the controller or the processor consist of processing operations
which, by virtue of their nature, their scope and/or their purposes, require regular
and systematic monitoring of data subjects on a large scale; or
c. the core activities of the controller or the processor consist of processing on a large
scale of special categories of data pursuant to Article 9 and personal data relating to
criminal convictions and offences referred to in Article 10.
19. A. Fair and lawfull processing
Art. 6 GDPR
a) consent(= opt-in, e-mail, sms, social media and cookie data)
b) contract (gift, donor agreement, legacies)
f) legitimate interest (profiling, direct mail etc.)
Direct Marketing is een gerechtvaardigd ondernemersbelang
Lawfull processing
20. B) In a transparant manner
Art 12, 13 and 14 GDPR
Information relating to processing to the data subject in a concise, transparent, intelligible
and easily accessible form, using clear and plain language about:
1) Identity
2)Purpose
3) category of data
4) rights
5) third parties
Direct Marketing is een gerechtvaardigd ondernemersbelang
Transparancy
27. Art 4 GDPR
(8) ‘the data subject’s consent’ means any freely-given, specific and informed (…) indication
of his or her wishes by which the data subject, either by a statement or by a clear
affirmative action, signifies agreement to personal data relating to them being
processed;
is een gerechtvaardigd ondernemersbelang
Consent
28. Art 7 GDPR
1. Where processing is based on consent, the controller shall be able to demonstrate that
the data subject has consented to processing of his or her personal data.
2. If the data subject's consent is given in the context of a written declaration which also
concerns other matters, the request for consent shall be presented in a manner which is
clearly distinguishable from the other matters, in an intelligible and easily accessible form,
using clear and plain language. Any part of such a declaration which constitutes an
infringement of this Regulation shall not be binding.
3. The data subject shall have the right to withdraw his or her consent at any time. The
withdrawal of consent shall not affect the lawfulness of processing based on consent before
its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be
as easy to withdraw as to give consent.
4. When assessing whether consent is freely given, utmost account shall be taken of
whether, inter alia, the performance of a contract, including the provision of a service, is
conditional on consent to the processing of personal data that is not necessary for the
performance of that contract.
is een gerechtvaardigd ondernemersbelang
Consent
29. Freely given
The freedom to say ‘no’to the transaction without it significantly affecting you or
produce a legal effect
is een gerechtvaardigd ondernemersbelang
Consent
35. 35
When
• In effect since 2016
• Implemented by you in May 2018
Positive elements
• Instrument of a regulation
• Transparency obligations
• Fundraising is recognised as a legtimate purpose
Consent
37. 37
• Use of data limited to as long as necessary for purpose of collection
• De-activating is not enough
• Adequate data retention periods?
Data retention