Giovanni Maria Riccio, profile picture
Uploaded byGiovanni Maria Riccio
PDF, PPTX140 views

GDPR and Copyright Law

The document provides an overview of the history and key aspects of the General Data Protection Regulation (GDPR) in the European Union. Some key points: - The GDPR was adopted in 2016 and replaced the 1995 Data Protection Directive, establishing a single set of rules on data protection and privacy across the EU. - It aims to strengthen and unify data protection for individuals within the EU, as well as address the export of personal data outside the EU. - The GDPR defines personal data and processing, and establishes six legal bases for processing personal data, including consent. - It gives individuals various rights over their personal data, such as access, rectification, erasure, and data portability

Embed presentation

Download as PDF, PPTX
GDPR Krakow Intellectual Property Summer School Giovanni Maria Riccio Professor of Law gmriccio@unisa.it
The History of the General Data protection Regulation • In 1995, the European Data protection Directive (Directive 95/46 CE) on the protection of individuals with regard to the processing of personal data and on the free movement of these data was adopted. • For the first time, a definition of «personal data» was provided: «any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity» • The Directive specified the meaning of processing data, with a broad definition: «any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction»
The History of the General Data protection Regulation • In 2011, the European Data Protection Supervisor published an Opinion on the European Commission Communication, entitled «a comprehensive approach on the personal data protection in EU» • In 2012, the European Commission proposed a comprehensive reform of the Directive 95/46 to streghten online privacy rights and the European Data Protection Supervisor adopted an opinion on the Commission’s data protection reform package. • In 2014, the European Parliament supported the new regulation on data protection and in 2015 an agreement was reached by the European Parliament, the Council and the Commission. • In 2016, the Regulation (EU) 2016/679 (GDPR) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data was published and entered into force from 24th May 2016. • From 25th May 2018, the GDPR started to be applied
General Data Protection Regulation The General Data Protection Regulation (EU) 2016/679 The same law and the same text for all the member States Approved on May 2016 – Came into force on May 2018 It is applicable also to non European entities where they offer products or services or when they monitor European citizens (eg Google Maps, Facebook, Instagram, etc.)
GDPR - a common framework • The difference between the Directive and the GDPR is that the GDPR does not require the implementation into the national legal framework by the Member States. In fact, the Directive soght to harmonise the protection of fundamental rights and freedoms of natural persons • So, the GDPR is a common framework in all the Member States, without any differences. • The most important aims of GDPR are: - to promote the protection of personal data of natural persons both in the Community and in the external context - to update the legislation on data protection in Europe, with a common framework, that is more adequate to be modified in order to the technological and sociological scenario. • «In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used ». (Whereas 15).
GDPR - a common framework • The Whereas specified the most relevant purposes of the GDPR. The protection of natural persons in relation to the processing of personal data is a fundamental right. • Article 8(1) of the Charter of Fundamental Rights of the European Union (the ‘Charter’) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) provide that everyone has the right to the protection of personal data concerning him or her. Article 8: «1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority.» Article 16: «1. Everyone has the right to the protection of personal data concerning them. 2. The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities. The rules adopted on the basis of this Article shall be without prejudice to the specific rules laid down in Article 39 of the Treaty on European Union.»
The scope of GDPR • The GDPR applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. • Only to the processing of personal data of natural persons. • To the processing of personal data in the context of the activities of an establishment of a Controller or a Processor in the Union, regardless of whether the processing takes place in the Union or not. • To the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: 1. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; 2. the monitoring of their behaviour as far as their behaviour takes place within the Union.
The scope of GDPR The processing of personal data should be designed to serve mankind. But the right to the protection of personal data is not an absolute right: it must be balanced against other fundamental rights, in accordance with the principle of proportionality. The GDPR respects all fundamental rights and observes the freedoms and principles, specifically: -the respect for private and family life, home and communications; -the freedom of expression and information; - freedom to conduct a business; -the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity. The GDPR does not apply to issues of protection of fundamental rights and freedoms or the free flow of personal data related to activities which fall outside the scope of Union law, such as activities concerning national security. Member States may, as far as necessary for coherence and for making the national provisions comprehensible to the persons to whom they apply, incorporate elements of the Regulation 679/2016 into their national law.
Definitions The Article 4 of GDPR provides the most important definitions: Personal data Processing Controller Processor Data Subject any information relating to an identified or identifiable natural person (“the data subject”); for instance, a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity the identified or identifiable natural person, that can be identified directly or indirectly, whose personal data is being collected, held or processed. any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller;
Definitions • There are special categories of personal data, including the personal data that reveal: 1. racial or ethnic origin; 2. political opinions; 3. religious or philosophical beliefs; 4. trade union membership; Or: 1. genetic data, biometric data; 2. concerning health or a natural person's sex life or sexual orientation. 3. data relating to criminal convictions and offences. Another category consists in anonymous information: the anonymous information is the one that does not relate to an identified or identifiable person or to personal data rendered anonymous in a such manner that the data subject is not or no longer identifiable. But the GDPR does not concern the processing of anonymous information, including for statistical or research purposes.
Principles relating to processing of personal data • Lawfulness, fairness and transparency • Purpose limitation • Data minimisation Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. The data subject must be informed about the processing of these data and the purposes. The Processing shall be lawful only if and to the extent that at least one of the conditions, provided by the Article 6 of GDPR. Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
Principles relating to processing of personal data • Accuracy • Storage limitation • Integrity and confidentiality Personal data shall be accurate and, where necessary, kept up to date. Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measure.
The principle of accountability The GDPR introduced a new principles to data protection, that of accountability. Controllers and processors have to take responsibility for their processing activities and for how they comply with data protection principles and they must be able to demonstrate compliance. Being responsible for compliance means being proactive and organised about data protection, while demonstrating compliance is the ability to present evidence of the steps taken to comply.
Consent • Processing of personal data is lawful only under one of the six legal basis, provided by the Article 6 of GDPR. • The first condition is CONSENT. The data subject has to give his or her consent to the processing of personal data for one or more specific purposes. What does consent mean? And what are the GDPR requirements ? Consent of the data subject means “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. So, the consent must: 1. be freely given; 2. be specific; 3. be informed; 4. be unambiguous. The controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Other legal basis • Contractual perfomance: the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. • Legal obligation: the processing is necessary for compliance with a legal obligation to which the controller is subject. • Vital interest: the processing is necessary in order to protect the vital interests of the data subject or of another natural person. • Public interest or acting under official public authority: the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. • Legitimate interest: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
What are the rights of the data subject? • the right of access: the data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed • the right to rectification: the data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. • the right to erasure: the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay. • the right to restrict processing: the data subject shall have the right to obtain from the controller restriction of processing, in case of lack of accuracy, when the processing is unlawful, and when the controller no longer needs the personal data for the purposes of the processing. • the right to data portability: the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided. • the right to object to processing: the data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data • the rights in relation to automated decision making and profiling: the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
The right to be informed There is a need for transparency regarding the gathering and use of data in order to allow EU citizens to exercise their right to the protection of personal data. The GDPR acknowledges to individuals the right to be informed about the collection and use of their personal data, which leads to a variety of information obligations by the controller. There are two cases: 1. Where data is obtained directly, the data subject must be immediately informed, at the time the data is obtained. In terms of content, the Controller’s obligation to inform includes his or her identity, the contact data of the Data Protection Processor (if available), the processing purposes and the legal basis, any legitimate interests pursued, the recipients when transmitting personal data, and any intention to transfer personal data to third countries. 2. If personal data is not obtained from the data subject, he or she must be provided the information within a reasonable period of time, but at latest after a month. In cases where the gathered information is used to directly contact the data subject, he or she has the right to be informed immediately upon being approached. As far as content is concerned, the controller has to provide the same specific information as if the personal data would have been directly obtained from the data subject.
The obligations of Controller The data Controller determines the purposes for which, the means by which personal data is processed. But, also the Controller determines the nature, the storage of the processing, and also the data categories. The Controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Indeed, taking into account the nature, scope, context and purposes of processing, the Controller shall implement appropriate technical and organisational measures, such as pseudonymization and data minimization. The data pseudonymization consists in substituting the identity of the data subject in such a way that additional information is required to re-identify the data subject. It is different from anonymization, that actually consists in irreversibly destroying any way of identifying the data subject. The Controller shall maintain a record of processing activities under its responsibility, for instance: the purposes of the processing; a description of the categories of data subjects and of the categories of personal data; where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organization etc.
The role of the Data Processor The data processor processes personal data only on behalf of the controller. Where processing is to be carried out on behalf of a Controller, the Controller shall use only Processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject. Processing by a Processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the Controller and that sets out the subject- matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. The Processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the Controller.
What does DATA BREACH mean? Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. In case of data breach, the controller should communicate to the data subject, without undue delay, where that personal data breach is likely to result in a high risk to the rights and freedoms of the natural person in order to allow him or her to take the necessary precautions. The communication should describe the nature of the personal data breach as well as recommendations for the natural person concerned to mitigate potential adverse effects. Such communications to data subjects should be made as soon as reasonably feasible and in close cooperation with the supervisory authority, respecting guidance provided by it or by other relevant authorities such as law-enforcement authorities. Indeed, the Controller shall notify the personal data breach to the supervisor authority not later than 72 hours (unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons).
The role of DPO • The controller and the processor shall designate a data protection officer in any case where: 1. The processing is carried out by a public authority or body; 2. When the processing operations require regular and systematic monitoring of data subjects on a large scale; 3. When the processing on large scale involves special categories of data. The data protection officer shall have these tasks: 1. to inform and advise the Controller or the Processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions; 2. to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data; 3. to provide advice where requested; 4. to cooperate with the supervisory authority
The role of the Data Protection Authority Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of GDPR, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union. • Each supervisory authority shall act with complete independence in performing its tasks and exercising its powers. • Member States shall provide for each member of their supervisory authorities to be appointed by means of a transparent procedure by: - their Parliament; - their Government; - their head of State; or - an independent body entrusted with the appointment under Member State law Each member shall have the qualifications, experience and skills, in particular in the area of the protection of personal data, required to perform its duties and exercise its powers.
Cooperation, mutual assistance and consistency Each supervisory authority shall contribute to the consistent application of this Regulation throughout the Union. For that purpose, the supervisory authorities shall cooperate with each other and the Commission. • Supervisory authorities shall provide each other with relevant information and mutual assistance in order to implement and apply this Regulation in a consistent manner, and shall put in place measures for effective cooperation with one another. • Mutual assistance shall cover, in particular, information requests and supervisory measures, such as requests to carry out prior authorizations and consultations, inspections and investigations. The supervisory authorities shall cooperate with each other and, where relevant, with the Commission, through the consistency mechanism. This mechanism should in particular apply where a supervisory authority intends to adopt a measure intended to produce legal effects as regards processing operations which substantially affect a significant number of data subjects in several Member States. It should also apply where any supervisory authority concerned or the Commission requests that such matter should be handled in the consistency mechanism. The mechanism should be without prejudice to any measures that the Commission may take in the exercise of its powers under the Treaties
The role of the EDPB The European Data Protection Board is established as a body of the Union, shall have legal personality and shall act independently when performing its tasks. The Board shall ensure the consistent application of GDPR. Some of the relevant tasks of the Board are: • advise the Commission on any issue related to the protection of personal data in the Union, including on any proposed amendment of the Regulation; • advise the Commission on the format and procedures for the exchange of information between controllers, processors and supervisory authorities for binding corporate rules; • issue guidelines, recommendations, and best practices on procedures for erasing links, copies or replications of personal data from publicly available communication services; • examine, on its own initiative, on request of one of its members or on request of the Commission, any question covering the application of the Regulation and issue guidelines, recommendations and best practices in order to encourage consistent application of the Regulation
Data protection and copyright How could a balance be possible between the data protection and the right to information, to ensure protection to copyright? The problem of the legitimate restriction of the right to the protection of personal data for the protection of intellectual rights arises with particular reference to the disclosure mechanism, by certain intermediaries, involving the personal data of third parties, previously collected by them for the provision of their services, to copyright holders, to allow to see the violations against them. Examples of violations are: 1. File-sharing networks 2. Peer-to-peer In order to be able to fully exercise their right of defense, the holders of intellectual property rights need to provide contact information relating to offenders, this information that is held by the providers of the connectivity services and/or the hosting providers.
Data protection and copyright The main issue is whether the transfer of this category of data to the copyright holders is lawful without the express consent of the data subjects. Could the transfer only appear as an unauthorized and as unlawful processing of personal data? On one hand, disclosure of data for the identification of infringers could be considered as a transfer to third parties without a legal basis; on the other hand, in the absence of such information, the other subjects may remain unprotected without the possibility to end the violations and obtaining compensation for the economic damages suffered. Is there a right to information that is superior than the personal data protection?
Data protection and copyright • The Article 6 of the Directive 2004/48/EC on the enforcement of intellectual property rights, provides: 1. Member States shall ensure that, on application by a party which has presented reasonably available evidence sufficient to support its claims, and has, in substantiating those claims, specified evidence which lies in the control of the opposing party, the competent judicial authorities may order that such evidence be presented by the opposing party, subject to the protection of confidential information. For the purposes of this paragraph, Member States may provide that a reasonable sample of a substantial number of copies of a work or any other protected object be considered by the competent judicial authorities to constitute reasonable evidence. 2. Under the same conditions, in the case of an infringement committed on a commercial scale Member States shall take such measures as are necessary to enable the competent judicial authorities to order, where appropriate, on application by a party, the communication of banking, financial or commercial documents under the control of the opposing party, subject to the protection of confidential information.
Data protection and copyright The Article 8 of the Directive 2004/48/EC on the enforcement of intellectual property rights, entitled «Right to information» states: 1. Member States shall ensure that, in the context of proceedings concerning an infringement of an intellectual property right and in response to a justified and proportionate request of the claimant, the competent judicial authorities may order that information on the origin and distribution networks of the goods or services which infringe an intellectual property right be provided by the infringer and/or any other person who: (a) was found in possession of the infringing goods on a commercial scale; (b) was found to be using the infringing services on a commercial scale; (c) was found to be providing on a commercial scale services used in infringing activities; (b) or (d) was indicated by the person referred to in point (a), (b) or (c) as being involved in the production, manufacture or distribution of the goods or the provision of the services.
Data protection and copyright Type of information: (a) the names and addresses of the producers, manufacturers, distributors, suppliers and other previous holders of the goods or services, as well as the intended wholesalers and retailers; (b) (b) information on the quantities produced, manufactured, delivered, received or ordered, as well as the price obtained for the goods or services in question. But this provision shall apply without prejudice to other provisions, such as: “govern the protection of confidentiality of information sources or the processing of personal data”.
Data protection and copyright • On the other hand, the Article 23 of GDPR, entitled «Restrictions», provides that the union or the Member states law may restrict the data subject rights when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard: (d) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; (i) the protection of the data subject or the rights and freedoms of others; (j) the enforcement of civil law claims
Data protection and copyright Peppermint case law- 2003 In 2006, the German record label Peppermint Jam Records Gmbh sent out 3,636 notices of copyright infringements to alleged Italian file-sharers informing them that they have been found guilty of uploading copyrighted songs. Peppermint had watched over consumers in their personal use of the Internet, with the help of their providers, and managed to get users’ data, monitoring their movements. Peppermint in these notices invited the users to pay a compensation for the damage for copyright infringement. The Italian Association consumer consulted the Supervisor Authority, condemning the procedures though which the Peppermint had collected users’ data (IP addresses) ( i.e. without any consent of the users). The final judgement stated that the data collected and the way, in which they were obtained, is unlawful.
Data protection and copyright • Stichting Brein vs Ziggo BV, XS4ALL Internet BV case-law 2017 • Stichting Brein is a foundation governed by Netherlands Law, whose main purpose is to combat the illegal exploitation of subject matter protected by copyright and related rights, and to protect in that area the interests of the holders of those rights. • Ziggo BV and XS4ALL Internet BV (‘XS4ALL’), are companies governed by Netherlands law whose activity consists, inter alia, in providing consumers with an internet service. • Stichting Brein asked to block the access to the Ziggo and XS4ALL Internet BV services by recipients to the internet addresses of the website of TPB, an engine for peer-to-peer file-sharing. The application is based on the fact that the recipients, using those services, commit large-scale copyright infringements, by sharing files containing protected subject matter (mainly music and films) without the authorization of the copyright holders. • Supreme Court of the Netherlands noted, however, that the Court’s case-law did not allow to reply with any certainty to the question as to whether the online sharing platform TPB consisted in a communication to public within the meaning of Article 3(1) of Directive 2001/29, in particular: • – by creating and maintaining a system in which internet users connect with each other in order to be able to share, in segments, works present on their own computers; • – by operating a website from which users can download torrent files which refer to segments of those works; and • – by indexing the torrent files placed online on this website and by categorising them in such a way that the segments of those underlying works can be located and the users can download those works (as a whole) onto their computers. • The CJEU answered to the request of the Court of Netherlands, clarifying that the peer-to-peer tools used by the Website of TPB falls under the concept of communication to public. • For peer to peer tools is meant a sharing platform, which, by means of indexation of metadata relating to protected works and the provision of a search engine, allows users to locate those works and to share them. • Article 3 • 1. Member States shall provide authors with the exclusive right to authorise or prohibit any communication to the public of their works, by wire or wireless means, including the making available to the public of their works in such a way that members of the public may access them from a place and at a time individually chosen by them. • 2. Member States shall provide for the exclusive right to authorise or prohibit the making available to the public, by wire or wireless means, in such a way that members of the public may access them from a place and at a time individually chosen by them: • (a) for performers, of fixations of their performances; • (b) for phonogram producers, of their phonograms; • (c) for the producers of the first fixations of films, of the original and copies of their films; • (d) for broadcasting organisations, of fixations of their broadcasts, whether these broadcasts are transmitted by wire or over the air, including by cable or satellite.

More Related Content

PDF
Privacy and Data Protection in South Africa
byblogzilla
 
PDF
Is Pandemia a Good Reason to Give Up on Privacy
byGiovanni Maria Riccio
 
PDF
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
byCyber Watching
 
PDF
FCE Briefing GDPR and Equal Opportunities Monitoring MAY18
byFife Centre for Equalities
 
PDF
Data Protection Guide – What are your rights as a citizen?
byEdouard Nguyen
 
PDF
Quick guide gdpr
byMiguel Mello
 
PDF
euregs
bybwgoodman
 
PDF
Quick Guide to GDPR
byPavol Balaj
 
Privacy and Data Protection in South Africa
byblogzilla
 
Is Pandemia a Good Reason to Give Up on Privacy
byGiovanni Maria Riccio
 
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
byCyber Watching
 
FCE Briefing GDPR and Equal Opportunities Monitoring MAY18
byFife Centre for Equalities
 
Data Protection Guide – What are your rights as a citizen?
byEdouard Nguyen
 
Quick guide gdpr
byMiguel Mello
 
euregs
bybwgoodman
 
Quick Guide to GDPR
byPavol Balaj
 

What's hot

PDF
EU GDPR and you: requirements for marketing
byIT Governance Ltd
 
PDF
Appointing a Data Protection Officer under the GDPR
byIT Governance Ltd
 
PPTX
EU GDPR: The role of the data protection officer
byIT Governance Ltd
 
PPTX
[CB19] Applicability of GDPR and APPI to international companies and the impa...
byCODE BLUE
 
PPT
Data Protection Act
byYizi
 
PDF
Revising policies and procedures under the new EU GDPR
byIT Governance Ltd
 
PDF
ILP Durham webinar: GDPR in the Lighting Industry
byInstitution of Lighting Professionals
 
PPTX
Hacking Health Camp Strasbourg health data & data protection in the Netherlands
byAxon Lawyers
 
PDF
Accountability under the GDPR: What does it mean for Boards & Senior Management?
byIT Governance Ltd
 
PPTX
GDPR presentation BE-Com - IFORI
byKarel Holst
 
DOCX
The implementation of gdpr in greece (1)
byFOTIOS ZYGOULIS
 
PPTX
Clyrofor popia readiness webinar
byLesedi Mnisi
 
PDF
data privacy
byProf. Jacques Folon (Ph.D)
 
PDF
Factsheet data protection and Right to be Forgotten
byEdouard Nguyen
 
PDF
GDPR will be the new regulation on may 2018
byMarjane Moghimi, ERP
 
PDF
Proposal for a Regulation establishing the interoperability of EU informatio...
byThierry Debels
 
DOCX
4
byShredsec Secure Shredding
 
PPT
Dgi slideshare 2014-05-06_en
byDirectorate General Human Rights and Rule of Law - Council of Europe
 
PDF
Порядок денний асоціації Україна-ЄС (18.06.2013)
byIra Smertyha
 
PDF
Datum DPO outsourced May 2016
byMark Honeyball
 
EU GDPR and you: requirements for marketing
byIT Governance Ltd
 
Appointing a Data Protection Officer under the GDPR
byIT Governance Ltd
 
EU GDPR: The role of the data protection officer
byIT Governance Ltd
 
[CB19] Applicability of GDPR and APPI to international companies and the impa...
byCODE BLUE
 
Data Protection Act
byYizi
 
Revising policies and procedures under the new EU GDPR
byIT Governance Ltd
 
ILP Durham webinar: GDPR in the Lighting Industry
byInstitution of Lighting Professionals
 
Hacking Health Camp Strasbourg health data & data protection in the Netherlands
byAxon Lawyers
 
Accountability under the GDPR: What does it mean for Boards & Senior Management?
byIT Governance Ltd
 
GDPR presentation BE-Com - IFORI
byKarel Holst
 
The implementation of gdpr in greece (1)
byFOTIOS ZYGOULIS
 
Clyrofor popia readiness webinar
byLesedi Mnisi
 
data privacy
byProf. Jacques Folon (Ph.D)
 
Factsheet data protection and Right to be Forgotten
byEdouard Nguyen
 
GDPR will be the new regulation on may 2018
byMarjane Moghimi, ERP
 
Proposal for a Regulation establishing the interoperability of EU informatio...
byThierry Debels
 
4
byShredsec Secure Shredding
 
Dgi slideshare 2014-05-06_en
byDirectorate General Human Rights and Rule of Law - Council of Europe
 
Порядок денний асоціації Україна-ЄС (18.06.2013)
byIra Smertyha
 
Datum DPO outsourced May 2016
byMark Honeyball
 

Similar to GDPR and Copyright Law

PDF
Complete Guide to General Data Protection Regulation (GDPR)
byHappiest Minds Technologies
 
PPTX
General Data Protection Regulation (GDPR) | Privacy Law in India |
byBivas Chatterjee
 
PDF
GDPR Demystified
bySPIN Chennai
 
PPTX
GDPR Introduction and overview
byJane Lambert
 
PDF
Introduction to EU General Data Protection Regulation: Planning, Implementat...
byFinancial Poise
 
PDF
Introduction to EU General Data Protection Regulation: Planning, Implementati...
byFinancial Poise
 
PPTX
Introduction to GDPR
byPriyab Satoshi
 
PPTX
General Data Protection Regulation (GDPR)
byExtentia Information Technology
 
PPTX
GDPR: Key Article Overview
byCraig Clark ITIL, CIS LI,EU GDPR P
 
PPTX
GDPR - New European Union Legislation
byTekwill
 
PDF
Key Issues on the new General Data Protection Regulation
byOlivier Vandeputte
 
PDF
Guide to-the-general-data-protection-regulation
byN N
 
PDF
Browne Jacobson - Administrative and public law - October 2017
byBrowne Jacobson LLP
 
PDF
GDPR: the legal aspects. By Matthias of theJurists Europe.
byMatthias Dobbelaere-Welvaert
 
PDF
GDPR Whitepaper
byRichard Goddard
 
PDF
GDPR A Privacy Regime
byijtsrd
 
PDF
Development & GDPR
byAndrea Tino
 
PPTX
Introduction to GDPR
byMartyn Ripley
 
PDF
VMTN6642E - GDPR Slide Deck
byKyle Davies
 
PDF
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
bydan hyde
 
Complete Guide to General Data Protection Regulation (GDPR)
byHappiest Minds Technologies
 
General Data Protection Regulation (GDPR) | Privacy Law in India |
byBivas Chatterjee
 
GDPR Demystified
bySPIN Chennai
 
GDPR Introduction and overview
byJane Lambert
 
Introduction to EU General Data Protection Regulation: Planning, Implementat...
byFinancial Poise
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
byFinancial Poise
 
Introduction to GDPR
byPriyab Satoshi
 
General Data Protection Regulation (GDPR)
byExtentia Information Technology
 
GDPR: Key Article Overview
byCraig Clark ITIL, CIS LI,EU GDPR P
 
GDPR - New European Union Legislation
byTekwill
 
Key Issues on the new General Data Protection Regulation
byOlivier Vandeputte
 
Guide to-the-general-data-protection-regulation
byN N
 
Browne Jacobson - Administrative and public law - October 2017
byBrowne Jacobson LLP
 
GDPR: the legal aspects. By Matthias of theJurists Europe.
byMatthias Dobbelaere-Welvaert
 
GDPR Whitepaper
byRichard Goddard
 
GDPR A Privacy Regime
byijtsrd
 
Development & GDPR
byAndrea Tino
 
Introduction to GDPR
byMartyn Ripley
 
VMTN6642E - GDPR Slide Deck
byKyle Davies
 
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
bydan hyde
 

More from Giovanni Maria Riccio

PDF
Cinema e contratti
byGiovanni Maria Riccio
 
PDF
Corso di Legislazione dei beni culturali
byGiovanni Maria Riccio
 
PDF
Metaverso e proprietà intellettuale (copyright, trademark)
byGiovanni Maria Riccio
 
PDF
Diritto d'autore, design e moda
byGiovanni Maria Riccio
 
PDF
International Summer School on Cyber Law - Moscow - July 2014
byGiovanni Maria Riccio
 
PDF
Patrimonio culturale e mondo digitale
byGiovanni Maria Riccio
 
PDF
Art in Public Spaces and Cultural Heritage
byGiovanni Maria Riccio
 
PDF
Privacy e telemarketing
byGiovanni Maria Riccio
 
PDF
Le regole dei giochi
byGiovanni Maria Riccio
 
PDF
Balancing Data Protection and Artificial Intelligence
byGiovanni Maria Riccio
 
PDF
Corso Libertà di informazione. Diffamazione, rettifica, oblio
byGiovanni Maria Riccio
 
PPTX
Quali regole e perché? UE, Data Protection e Intelligenza Artificiale
byGiovanni Maria Riccio
 
PPTX
Indigenous Art & Copyright: Milpurrurru v Indofurn
byGiovanni Maria Riccio
 
PPTX
Startup innovative
byGiovanni Maria Riccio
 
PPTX
Intelligenza artificiale, data protection e copyright
byGiovanni Maria Riccio
 
PPTX
Artificial Intelligence and Copyright: How to Find Balances between Human Cr...
byGiovanni Maria Riccio
 
PDF
G.M. Riccio - National Efforts to Control the Internet: to Regulate or Not? ...
byGiovanni Maria Riccio
 
PPTX
Out-of-Commerce Works and the Copyright Proposal Directive
byGiovanni Maria Riccio
 
PDF
Startup - Marchi, Copyright, Confidentiality Agreement
byGiovanni Maria Riccio
 
PPTX
Authorship NFT Artificial Intelligence.pptx
byGiovanni Maria Riccio
 
Cinema e contratti
byGiovanni Maria Riccio
 
Corso di Legislazione dei beni culturali
byGiovanni Maria Riccio
 
Metaverso e proprietà intellettuale (copyright, trademark)
byGiovanni Maria Riccio
 
Diritto d'autore, design e moda
byGiovanni Maria Riccio
 
International Summer School on Cyber Law - Moscow - July 2014
byGiovanni Maria Riccio
 
Patrimonio culturale e mondo digitale
byGiovanni Maria Riccio
 
Art in Public Spaces and Cultural Heritage
byGiovanni Maria Riccio
 
Privacy e telemarketing
byGiovanni Maria Riccio
 
Le regole dei giochi
byGiovanni Maria Riccio
 
Balancing Data Protection and Artificial Intelligence
byGiovanni Maria Riccio
 
Corso Libertà di informazione. Diffamazione, rettifica, oblio
byGiovanni Maria Riccio
 
Quali regole e perché? UE, Data Protection e Intelligenza Artificiale
byGiovanni Maria Riccio
 
Indigenous Art & Copyright: Milpurrurru v Indofurn
byGiovanni Maria Riccio
 
Startup innovative
byGiovanni Maria Riccio
 
Intelligenza artificiale, data protection e copyright
byGiovanni Maria Riccio
 
Artificial Intelligence and Copyright: How to Find Balances between Human Cr...
byGiovanni Maria Riccio
 
G.M. Riccio - National Efforts to Control the Internet: to Regulate or Not? ...
byGiovanni Maria Riccio
 
Out-of-Commerce Works and the Copyright Proposal Directive
byGiovanni Maria Riccio
 
Startup - Marchi, Copyright, Confidentiality Agreement
byGiovanni Maria Riccio
 
Authorship NFT Artificial Intelligence.pptx
byGiovanni Maria Riccio
 

Recently uploaded

PDF
EMMANUEL MOUKA FOOD POISONING CAUGHT ON CCTV PETITION
byMouka Emmanuel
 
PDF
85-108+Vanessa,+Gunawan+Djajaputra(1).pdf
bysianturiyohanaputri0
 
PDF
Marginalizing People with Disabilities By Police Conduct & Judicial Actions.pdf
byChristopherCross19
 
PDF
For-Website-251218-CJP-complaint-to-NCM-on-hate-speech-vigilantism-etc-target...
bysabranghindi
 
PDF
The Architecture of Sovereignty: A Comprehensive Analysis of Recognition unde...
by Judge Nazmul Hasan.
 
PPTX
When Did DUI Become Illegal: A Complete Guide
byJosh Mcdowell
 
PPTX
Labour Codes 2025, ppt on new labour codes
byYASHJAIN886310
 
PPTX
volenti non fit injuria .pptx dsjbf v d s sdj w
byajbjsba724
 
PDF
The Difference Between Criminal and Civil Wrongful Death Cases
byPeach Firm
 
PDF
ADR. Part one Definition and Basic features
byyusufwerkineh4
 
PDF
Final Judgment Angelina Martinz v Isabel Maria Aguilar Broward Case No. CACE-...
byRaymond R. Dieppa
 
PDF
122392022_2024-11-13-bulldozer-justice-judgment-1.pdf
bysabranghindi
 
PDF
DEVELOPMENT OF CHEMICAL AND PHARMACEUTICAL DOCUMENTATION
bylingher1
 
PDF
Inheritance: How to Avoid Family Disputes
byDr Edgar Paltzer
 
PPTX
Women Security society and cyber security concentrating on legal provisions a...
byjaykumar39894
 
PDF
Cases penned by Justice-Zalameda 2019-2025
byGenpsyPacada
 
PDF
Cecilia Alvarez v Supreme Rent a Car jury verdict $5,643,981.00 (Miami-Dade 2...
byRaymond R. Dieppa
 
PPTX
Week-15--ICT-in-Daily-Life-Smart-Homes--Banking--Online-Shopping-20092025-111...
byomamanouman4
 
PDF
Final Judgement - Glen Blanco v Paul Jerome Case No. 2018-034632-CA-01
byRaymond R. Dieppa
 
PPTX
POSH Training Rignaya and Associates LLP for training employees
byaabha35
 
EMMANUEL MOUKA FOOD POISONING CAUGHT ON CCTV PETITION
byMouka Emmanuel
 
85-108+Vanessa,+Gunawan+Djajaputra(1).pdf
bysianturiyohanaputri0
 
Marginalizing People with Disabilities By Police Conduct & Judicial Actions.pdf
byChristopherCross19
 
For-Website-251218-CJP-complaint-to-NCM-on-hate-speech-vigilantism-etc-target...
bysabranghindi
 
The Architecture of Sovereignty: A Comprehensive Analysis of Recognition unde...
by Judge Nazmul Hasan.
 
When Did DUI Become Illegal: A Complete Guide
byJosh Mcdowell
 
Labour Codes 2025, ppt on new labour codes
byYASHJAIN886310
 
volenti non fit injuria .pptx dsjbf v d s sdj w
byajbjsba724
 
The Difference Between Criminal and Civil Wrongful Death Cases
byPeach Firm
 
ADR. Part one Definition and Basic features
byyusufwerkineh4
 
Final Judgment Angelina Martinz v Isabel Maria Aguilar Broward Case No. CACE-...
byRaymond R. Dieppa
 
122392022_2024-11-13-bulldozer-justice-judgment-1.pdf
bysabranghindi
 
DEVELOPMENT OF CHEMICAL AND PHARMACEUTICAL DOCUMENTATION
bylingher1
 
Inheritance: How to Avoid Family Disputes
byDr Edgar Paltzer
 
Women Security society and cyber security concentrating on legal provisions a...
byjaykumar39894
 
Cases penned by Justice-Zalameda 2019-2025
byGenpsyPacada
 
Cecilia Alvarez v Supreme Rent a Car jury verdict $5,643,981.00 (Miami-Dade 2...
byRaymond R. Dieppa
 
Week-15--ICT-in-Daily-Life-Smart-Homes--Banking--Online-Shopping-20092025-111...
byomamanouman4
 
Final Judgement - Glen Blanco v Paul Jerome Case No. 2018-034632-CA-01
byRaymond R. Dieppa
 
POSH Training Rignaya and Associates LLP for training employees
byaabha35
 

GDPR and Copyright Law

  • 1.
    GDPR Krakow Intellectual Property SummerSchool Giovanni Maria Riccio Professor of Law gmriccio@unisa.it
  • 7.
    The History ofthe General Data protection Regulation • In 1995, the European Data protection Directive (Directive 95/46 CE) on the protection of individuals with regard to the processing of personal data and on the free movement of these data was adopted. • For the first time, a definition of «personal data» was provided: «any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity» • The Directive specified the meaning of processing data, with a broad definition: «any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction»
  • 8.
    The History ofthe General Data protection Regulation • In 2011, the European Data Protection Supervisor published an Opinion on the European Commission Communication, entitled «a comprehensive approach on the personal data protection in EU» • In 2012, the European Commission proposed a comprehensive reform of the Directive 95/46 to streghten online privacy rights and the European Data Protection Supervisor adopted an opinion on the Commission’s data protection reform package. • In 2014, the European Parliament supported the new regulation on data protection and in 2015 an agreement was reached by the European Parliament, the Council and the Commission. • In 2016, the Regulation (EU) 2016/679 (GDPR) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data was published and entered into force from 24th May 2016. • From 25th May 2018, the GDPR started to be applied
  • 9.
    General Data Protection Regulation The General DataProtection Regulation (EU) 2016/679 The same law and the same text for all the member States Approved on May 2016 – Came into force on May 2018 It is applicable also to non European entities where they offer products or services or when they monitor European citizens (eg Google Maps, Facebook, Instagram, etc.)
  • 10.
    GDPR - acommon framework • The difference between the Directive and the GDPR is that the GDPR does not require the implementation into the national legal framework by the Member States. In fact, the Directive soght to harmonise the protection of fundamental rights and freedoms of natural persons • So, the GDPR is a common framework in all the Member States, without any differences. • The most important aims of GDPR are: - to promote the protection of personal data of natural persons both in the Community and in the external context - to update the legislation on data protection in Europe, with a common framework, that is more adequate to be modified in order to the technological and sociological scenario. • «In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used ». (Whereas 15).
  • 11.
    GDPR - acommon framework • The Whereas specified the most relevant purposes of the GDPR. The protection of natural persons in relation to the processing of personal data is a fundamental right. • Article 8(1) of the Charter of Fundamental Rights of the European Union (the ‘Charter’) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) provide that everyone has the right to the protection of personal data concerning him or her. Article 8: «1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority.» Article 16: «1. Everyone has the right to the protection of personal data concerning them. 2. The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities. The rules adopted on the basis of this Article shall be without prejudice to the specific rules laid down in Article 39 of the Treaty on European Union.»
  • 12.
    The scope ofGDPR • The GDPR applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. • Only to the processing of personal data of natural persons. • To the processing of personal data in the context of the activities of an establishment of a Controller or a Processor in the Union, regardless of whether the processing takes place in the Union or not. • To the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: 1. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; 2. the monitoring of their behaviour as far as their behaviour takes place within the Union.
  • 13.
    The scope of GDPR Theprocessing of personal data should be designed to serve mankind. But the right to the protection of personal data is not an absolute right: it must be balanced against other fundamental rights, in accordance with the principle of proportionality. The GDPR respects all fundamental rights and observes the freedoms and principles, specifically: -the respect for private and family life, home and communications; -the freedom of expression and information; - freedom to conduct a business; -the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity. The GDPR does not apply to issues of protection of fundamental rights and freedoms or the free flow of personal data related to activities which fall outside the scope of Union law, such as activities concerning national security. Member States may, as far as necessary for coherence and for making the national provisions comprehensible to the persons to whom they apply, incorporate elements of the Regulation 679/2016 into their national law.
  • 14.
    Definitions The Article 4of GDPR provides the most important definitions: Personal data Processing Controller Processor Data Subject any information relating to an identified or identifiable natural person (“the data subject”); for instance, a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity the identified or identifiable natural person, that can be identified directly or indirectly, whose personal data is being collected, held or processed. any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller;
  • 15.
    Definitions • There arespecial categories of personal data, including the personal data that reveal: 1. racial or ethnic origin; 2. political opinions; 3. religious or philosophical beliefs; 4. trade union membership; Or: 1. genetic data, biometric data; 2. concerning health or a natural person's sex life or sexual orientation. 3. data relating to criminal convictions and offences. Another category consists in anonymous information: the anonymous information is the one that does not relate to an identified or identifiable person or to personal data rendered anonymous in a such manner that the data subject is not or no longer identifiable. But the GDPR does not concern the processing of anonymous information, including for statistical or research purposes.
  • 16.
    Principles relating toprocessing of personal data • Lawfulness, fairness and transparency • Purpose limitation • Data minimisation Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. The data subject must be informed about the processing of these data and the purposes. The Processing shall be lawful only if and to the extent that at least one of the conditions, provided by the Article 6 of GDPR. Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
  • 17.
    Principles relating toprocessing of personal data • Accuracy • Storage limitation • Integrity and confidentiality Personal data shall be accurate and, where necessary, kept up to date. Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measure.
  • 18.
    The principle ofaccountability The GDPR introduced a new principles to data protection, that of accountability. Controllers and processors have to take responsibility for their processing activities and for how they comply with data protection principles and they must be able to demonstrate compliance. Being responsible for compliance means being proactive and organised about data protection, while demonstrating compliance is the ability to present evidence of the steps taken to comply.
  • 19.
    Consent • Processing ofpersonal data is lawful only under one of the six legal basis, provided by the Article 6 of GDPR. • The first condition is CONSENT. The data subject has to give his or her consent to the processing of personal data for one or more specific purposes. What does consent mean? And what are the GDPR requirements ? Consent of the data subject means “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. So, the consent must: 1. be freely given; 2. be specific; 3. be informed; 4. be unambiguous. The controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
  • 20.
    Other legal basis • Contractualperfomance: the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. • Legal obligation: the processing is necessary for compliance with a legal obligation to which the controller is subject. • Vital interest: the processing is necessary in order to protect the vital interests of the data subject or of another natural person. • Public interest or acting under official public authority: the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. • Legitimate interest: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
  • 21.
    What are therights of the data subject? • the right of access: the data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed • the right to rectification: the data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. • the right to erasure: the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay. • the right to restrict processing: the data subject shall have the right to obtain from the controller restriction of processing, in case of lack of accuracy, when the processing is unlawful, and when the controller no longer needs the personal data for the purposes of the processing. • the right to data portability: the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided. • the right to object to processing: the data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data • the rights in relation to automated decision making and profiling: the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
  • 22.
    The right tobe informed There is a need for transparency regarding the gathering and use of data in order to allow EU citizens to exercise their right to the protection of personal data. The GDPR acknowledges to individuals the right to be informed about the collection and use of their personal data, which leads to a variety of information obligations by the controller. There are two cases: 1. Where data is obtained directly, the data subject must be immediately informed, at the time the data is obtained. In terms of content, the Controller’s obligation to inform includes his or her identity, the contact data of the Data Protection Processor (if available), the processing purposes and the legal basis, any legitimate interests pursued, the recipients when transmitting personal data, and any intention to transfer personal data to third countries. 2. If personal data is not obtained from the data subject, he or she must be provided the information within a reasonable period of time, but at latest after a month. In cases where the gathered information is used to directly contact the data subject, he or she has the right to be informed immediately upon being approached. As far as content is concerned, the controller has to provide the same specific information as if the personal data would have been directly obtained from the data subject.
  • 23.
    The obligations ofController The data Controller determines the purposes for which, the means by which personal data is processed. But, also the Controller determines the nature, the storage of the processing, and also the data categories. The Controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Indeed, taking into account the nature, scope, context and purposes of processing, the Controller shall implement appropriate technical and organisational measures, such as pseudonymization and data minimization. The data pseudonymization consists in substituting the identity of the data subject in such a way that additional information is required to re-identify the data subject. It is different from anonymization, that actually consists in irreversibly destroying any way of identifying the data subject. The Controller shall maintain a record of processing activities under its responsibility, for instance: the purposes of the processing; a description of the categories of data subjects and of the categories of personal data; where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organization etc.
  • 24.
    The role ofthe Data Processor The data processor processes personal data only on behalf of the controller. Where processing is to be carried out on behalf of a Controller, the Controller shall use only Processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject. Processing by a Processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the Controller and that sets out the subject- matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. The Processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the Controller.
  • 25.
    What does DATA BREACHmean? Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. In case of data breach, the controller should communicate to the data subject, without undue delay, where that personal data breach is likely to result in a high risk to the rights and freedoms of the natural person in order to allow him or her to take the necessary precautions. The communication should describe the nature of the personal data breach as well as recommendations for the natural person concerned to mitigate potential adverse effects. Such communications to data subjects should be made as soon as reasonably feasible and in close cooperation with the supervisory authority, respecting guidance provided by it or by other relevant authorities such as law-enforcement authorities. Indeed, the Controller shall notify the personal data breach to the supervisor authority not later than 72 hours (unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons).
  • 26.
    The role ofDPO • The controller and the processor shall designate a data protection officer in any case where: 1. The processing is carried out by a public authority or body; 2. When the processing operations require regular and systematic monitoring of data subjects on a large scale; 3. When the processing on large scale involves special categories of data. The data protection officer shall have these tasks: 1. to inform and advise the Controller or the Processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions; 2. to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data; 3. to provide advice where requested; 4. to cooperate with the supervisory authority
  • 27.
    The role ofthe Data Protection Authority Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of GDPR, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union. • Each supervisory authority shall act with complete independence in performing its tasks and exercising its powers. • Member States shall provide for each member of their supervisory authorities to be appointed by means of a transparent procedure by: - their Parliament; - their Government; - their head of State; or - an independent body entrusted with the appointment under Member State law Each member shall have the qualifications, experience and skills, in particular in the area of the protection of personal data, required to perform its duties and exercise its powers.
  • 28.
    Cooperation, mutual assistance andconsistency Each supervisory authority shall contribute to the consistent application of this Regulation throughout the Union. For that purpose, the supervisory authorities shall cooperate with each other and the Commission. • Supervisory authorities shall provide each other with relevant information and mutual assistance in order to implement and apply this Regulation in a consistent manner, and shall put in place measures for effective cooperation with one another. • Mutual assistance shall cover, in particular, information requests and supervisory measures, such as requests to carry out prior authorizations and consultations, inspections and investigations. The supervisory authorities shall cooperate with each other and, where relevant, with the Commission, through the consistency mechanism. This mechanism should in particular apply where a supervisory authority intends to adopt a measure intended to produce legal effects as regards processing operations which substantially affect a significant number of data subjects in several Member States. It should also apply where any supervisory authority concerned or the Commission requests that such matter should be handled in the consistency mechanism. The mechanism should be without prejudice to any measures that the Commission may take in the exercise of its powers under the Treaties
  • 29.
    The role of theEDPB The European Data Protection Board is established as a body of the Union, shall have legal personality and shall act independently when performing its tasks. The Board shall ensure the consistent application of GDPR. Some of the relevant tasks of the Board are: • advise the Commission on any issue related to the protection of personal data in the Union, including on any proposed amendment of the Regulation; • advise the Commission on the format and procedures for the exchange of information between controllers, processors and supervisory authorities for binding corporate rules; • issue guidelines, recommendations, and best practices on procedures for erasing links, copies or replications of personal data from publicly available communication services; • examine, on its own initiative, on request of one of its members or on request of the Commission, any question covering the application of the Regulation and issue guidelines, recommendations and best practices in order to encourage consistent application of the Regulation
  • 30.
    Data protection and copyright Howcould a balance be possible between the data protection and the right to information, to ensure protection to copyright? The problem of the legitimate restriction of the right to the protection of personal data for the protection of intellectual rights arises with particular reference to the disclosure mechanism, by certain intermediaries, involving the personal data of third parties, previously collected by them for the provision of their services, to copyright holders, to allow to see the violations against them. Examples of violations are: 1. File-sharing networks 2. Peer-to-peer In order to be able to fully exercise their right of defense, the holders of intellectual property rights need to provide contact information relating to offenders, this information that is held by the providers of the connectivity services and/or the hosting providers.
  • 31.
    Data protection andcopyright The main issue is whether the transfer of this category of data to the copyright holders is lawful without the express consent of the data subjects. Could the transfer only appear as an unauthorized and as unlawful processing of personal data? On one hand, disclosure of data for the identification of infringers could be considered as a transfer to third parties without a legal basis; on the other hand, in the absence of such information, the other subjects may remain unprotected without the possibility to end the violations and obtaining compensation for the economic damages suffered. Is there a right to information that is superior than the personal data protection?
  • 32.
    Data protection and copyright • TheArticle 6 of the Directive 2004/48/EC on the enforcement of intellectual property rights, provides: 1. Member States shall ensure that, on application by a party which has presented reasonably available evidence sufficient to support its claims, and has, in substantiating those claims, specified evidence which lies in the control of the opposing party, the competent judicial authorities may order that such evidence be presented by the opposing party, subject to the protection of confidential information. For the purposes of this paragraph, Member States may provide that a reasonable sample of a substantial number of copies of a work or any other protected object be considered by the competent judicial authorities to constitute reasonable evidence. 2. Under the same conditions, in the case of an infringement committed on a commercial scale Member States shall take such measures as are necessary to enable the competent judicial authorities to order, where appropriate, on application by a party, the communication of banking, financial or commercial documents under the control of the opposing party, subject to the protection of confidential information.
  • 33.
    Data protection andcopyright The Article 8 of the Directive 2004/48/EC on the enforcement of intellectual property rights, entitled «Right to information» states: 1. Member States shall ensure that, in the context of proceedings concerning an infringement of an intellectual property right and in response to a justified and proportionate request of the claimant, the competent judicial authorities may order that information on the origin and distribution networks of the goods or services which infringe an intellectual property right be provided by the infringer and/or any other person who: (a) was found in possession of the infringing goods on a commercial scale; (b) was found to be using the infringing services on a commercial scale; (c) was found to be providing on a commercial scale services used in infringing activities; (b) or (d) was indicated by the person referred to in point (a), (b) or (c) as being involved in the production, manufacture or distribution of the goods or the provision of the services.
  • 34.
    Data protection andcopyright Type of information: (a) the names and addresses of the producers, manufacturers, distributors, suppliers and other previous holders of the goods or services, as well as the intended wholesalers and retailers; (b) (b) information on the quantities produced, manufactured, delivered, received or ordered, as well as the price obtained for the goods or services in question. But this provision shall apply without prejudice to other provisions, such as: “govern the protection of confidentiality of information sources or the processing of personal data”.
  • 35.
    Data protection andcopyright • On the other hand, the Article 23 of GDPR, entitled «Restrictions», provides that the union or the Member states law may restrict the data subject rights when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard: (d) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; (i) the protection of the data subject or the rights and freedoms of others; (j) the enforcement of civil law claims
  • 36.
    Data protection andcopyright Peppermint case law- 2003 In 2006, the German record label Peppermint Jam Records Gmbh sent out 3,636 notices of copyright infringements to alleged Italian file-sharers informing them that they have been found guilty of uploading copyrighted songs. Peppermint had watched over consumers in their personal use of the Internet, with the help of their providers, and managed to get users’ data, monitoring their movements. Peppermint in these notices invited the users to pay a compensation for the damage for copyright infringement. The Italian Association consumer consulted the Supervisor Authority, condemning the procedures though which the Peppermint had collected users’ data (IP addresses) ( i.e. without any consent of the users). The final judgement stated that the data collected and the way, in which they were obtained, is unlawful.
  • 37.
    Data protection and copyright • Stichting Breinvs Ziggo BV, XS4ALL Internet BV case-law 2017 • Stichting Brein is a foundation governed by Netherlands Law, whose main purpose is to combat the illegal exploitation of subject matter protected by copyright and related rights, and to protect in that area the interests of the holders of those rights. • Ziggo BV and XS4ALL Internet BV (‘XS4ALL’), are companies governed by Netherlands law whose activity consists, inter alia, in providing consumers with an internet service. • Stichting Brein asked to block the access to the Ziggo and XS4ALL Internet BV services by recipients to the internet addresses of the website of TPB, an engine for peer-to-peer file-sharing. The application is based on the fact that the recipients, using those services, commit large-scale copyright infringements, by sharing files containing protected subject matter (mainly music and films) without the authorization of the copyright holders. • Supreme Court of the Netherlands noted, however, that the Court’s case-law did not allow to reply with any certainty to the question as to whether the online sharing platform TPB consisted in a communication to public within the meaning of Article 3(1) of Directive 2001/29, in particular: • – by creating and maintaining a system in which internet users connect with each other in order to be able to share, in segments, works present on their own computers; • – by operating a website from which users can download torrent files which refer to segments of those works; and • – by indexing the torrent files placed online on this website and by categorising them in such a way that the segments of those underlying works can be located and the users can download those works (as a whole) onto their computers. • The CJEU answered to the request of the Court of Netherlands, clarifying that the peer-to-peer tools used by the Website of TPB falls under the concept of communication to public. • For peer to peer tools is meant a sharing platform, which, by means of indexation of metadata relating to protected works and the provision of a search engine, allows users to locate those works and to share them. • Article 3 • 1. Member States shall provide authors with the exclusive right to authorise or prohibit any communication to the public of their works, by wire or wireless means, including the making available to the public of their works in such a way that members of the public may access them from a place and at a time individually chosen by them. • 2. Member States shall provide for the exclusive right to authorise or prohibit the making available to the public, by wire or wireless means, in such a way that members of the public may access them from a place and at a time individually chosen by them: • (a) for performers, of fixations of their performances; • (b) for phonogram producers, of their phonograms; • (c) for the producers of the first fixations of films, of the original and copies of their films; • (d) for broadcasting organisations, of fixations of their broadcasts, whether these broadcasts are transmitted by wire or over the air, including by cable or satellite.