SlideShare a Scribd company logo

GDPR and Personal Data Transfers 1.1.pdf

Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001

My old presentation about GDPR and Personal Data Transfers

Presentations & Public Speaking
1 of 30
Download to read offline
GDPR. Personal Data Transfers Andrey Prozorov, CISM, CIPP/E 80na20.blogspot.ru v.1.1 2020-04-06
Agenda I. General requirements • GDPR • The contract • Article 88 Processing in the context of employment II. International transfers • Comments by ISO (UK) • Basis for data transfers from the EU • Notification of the Data Subject • Adequacy decisions • Privacy Shield • Guidelines (EDPB and WP29) • Binding corporate rules III. Transfers of personal data from Russia to third countries 2 by Andrey Prozorov, CISM, CIPP/E
3 by Andrey Prozorov, CISM, CIPP/E I. General requirements
GDPR 4 by Andrey Prozorov, CISM, CIPP/E Main requirements Cross-border processing • Article 24 Responsibility of the controller • Article 26 Joint controllers • Article 27 Representatives of controllers or processors not established in the Union • Article 28 Processor • Article 88 Processing in the context of employment • Article 13 Information to be provided where personal data are collected from the data subject • Article 14 Information to be provided where personal data have not been obtained from the data subject • Article 15 Right of access by the data subject • Article 30 Records of processing activities CHAPTER V. Transfers of personal data to third countries or international organisations • Article 44 General principles for transfers of personal data • Article 45 Transfers on the basis of an adequacy decision • Article 46 Transfers subject to appropriate safeguards • Article 47 Binding corporate rules • Article 48 Transfers or disclosures not authorised by Union law • Article 49 Derogations for specific situations • Article 50 International cooperation for the protection of personal data
The contract Data controllers in the EU are always required to enter into a contract when a transfer is made for processing purposes only, whether the processing operation is carried out inside or outside the EU, and whether or not the processor participates in the Privacy Shield. The purpose of the contract is to make sure that the processor: • acts only on instructions from the controller; • provides appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and understands whether onward transfer is allowed; and • taking into account the nature of the processing, assists the controller in responding to individuals exercising their right to access their personal data. 5 by Andrey Prozorov, CISM, CIPP/E
GDPR Article 28 Processor • 1.Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject. • 2.The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes. • 3.Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. … 6 by Andrey Prozorov, CISM, CIPP/E
The contract (by Art.28 3) That contract or other legal act shall stipulate, in particular, that the processor: • processes the personal data only on documented instructions from the controller • ensures that persons authorised to process the personal data have committed themselves to confidentiality • takes all measures required pursuant to Article 32 (Security of processing) • respects the conditions referred to in paragraphs 2 and 4 for engaging another processor • assists the controller by appropriate technical and organisational measures, helps to respond to requests for exercising the data subject's rights • assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 (Security of personal data: Security of processing, Breach notification, DPIA and prior consultation) • at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing • makes available to the controller all information necessary to demonstrate compliance with the obligations (e.g. external audits) 7 by Andrey Prozorov, CISM, CIPP/E
Analyse and revise your contracts This contract must define: q the subject-matter and duration of the service you are carrying out on your client's behalf q the nature and purposes of the processing q the type of personal data that you are processing on your client's behalf q the categories of data subjects q the obligations and rights of your client as the controller q your obligations as the processor as set out in Article 28 of the GDPR 8 by Andrey Prozorov, CISM, CIPP/E General Data Protection Regulation: a guide to assist processors (by CNIL)
9 by Andrey Prozorov, CISM, CIPP/E General Data Protection Regulation: a guide to assist processors (by CNIL)
Article 88 Processing in the context of employment 1.Member States may, by law or by collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees' personal data in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, protection of employer's or customer's property and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship. 2.Those rules shall include suitable and specific measures to safeguard the data subject's human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity and monitoring systems at the work place. 10 by Andrey Prozorov, CISM, CIPP/E Other
11 by Andrey Prozorov, CISM, CIPP/E II. International transfers
Comments by ISO (UK) • The GDPR primarily applies to controllers and processors located in the European Economic Area (the EEA) with some exceptions. • Individuals risk losing the protection of the GDPR if their personal data is transferred outside of the EEA. • On that basis, the GDPR restricts transfers of personal data outside the EEA, or the protection of the GDPR, unless the rights of the individuals in respect of their personal data is protected in another way, or one of a limited number of exceptions applies. • A transfer of personal data outside the protection of the GDPR (which we refer to as a ‘restricted transfer’), most often involves a transfer from inside the EEA to a country outside the EEA. • Other comments - https://ico.org.uk/for-organisations/guide-to-data- protection/guide-to-the-general-data-protection-regulation- gdpr/international-transfers 12 by Andrey Prozorov, CISM, CIPP/E
Basis for data transfers from the EU 1. Transfers on the basis of an adequacy decision (Art.45) • By the European Commission • Such a transfer shall not require any specific authorisation 2. Transfers subject to appropriate safeguards (Art.46) The appropriate safeguard: • a legally binding and enforceable instrument between public authorities or bodies • binding corporate rules (BCR) • standard data protection clauses adopted by the Commission: • standard data protection clauses adopted by a supervisory authority and approved by the Commission • an approved code of conduct (binding and enforceable commitments)… • an approved certification mechanism (binding and enforceable commitments)… 3. Derogations for specific situations (Art.49)… 13 by Andrey Prozorov, CISM, CIPP/E
Derogations for specific situations 3. In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions: a) the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person d) the transfer is necessary for important reasons of public interest e) the transfer is necessary for the establishment, exercise or defence of legal claims f) the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent g) the transfer is made from a register which according to Union or Member State law is intended to provide information to the public… 14 by Andrey Prozorov, CISM, CIPP/E
15 by Andrey Prozorov, CISM, CIPP/E
About the consent 1. Consent must be explicit 2. Consent must be specific for the particular data transfer/set of transfers 3. Consent must be informed particularly as to the possible risks of the transfer 16 by Andrey Prozorov, CISM, CIPP/E Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679
Notification of the Data Subject q 1. The fact that the controller intends to transfer personal data to a third country or international organisation q 2. The existence or absence of an adequacy decision by the Commission 3. Reference to the appropriate or suitable safeguards* 4. The possible risks* q 5. The means by which to obtain a copy of personal data or where they have been made available 17 by Andrey Prozorov, CISM, CIPP/E GDPR Article 13 Information to be provided where personal data are collected from the data subject, 1 f) GDPR Article 14 Information to be provided where personal data have not been obtained from the data subject, 1 f) GDPR Article Article 15 Right of access by the data subject, 2 Article 30 Records of processing activities, 1 e) Article 49 Derogations for specific situations, 1 a) * - if applicable
Adequacy decisions How the EU determines if a non-EU country has an adequate level of data protection. • The European Commission has the power to determine, on the basis of article 45 of Regulation (EU) 2016/679 whether a country outside the EU offers an adequate level of data protection. • The effect of such a decision is that personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary. In others words, transfers to the country in question will be assimilated to intra-EU transmissions of data. • The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (limited to the Privacy Shield framework) as providing adequate protection. • Adequacy talks are ongoing with South Korea. 18 by Andrey Prozorov, CISM, CIPP/E https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en#relatedlinks
Privacy Shield The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce. • Self-Certification • 5287 Total Organizations (27.03.2020) • Privacy Shield List - www.privacyshield.gov/list 19 by Andrey Prozorov, CISM, CIPP/E
Privacy Shield Framework 20 by Andrey Prozorov, CISM, CIPP/E Privacy Shield Principles Privacy Shield Supplemental Principles • Notice • Choice • Accountability for Onward Transfer • Security • Data Integrity and Purpose Limitation • Access • Recourse, Enforcement, and Liability • Sensitive Data • Journalistic Exceptions • Secondary Liability • Performing Due Diligence and Conducting Audits • The Role of the Data Protection Authorities • Access • Self-Certification • Verification • Human Resources Data • Obligatory Contracts for Onward Transfers • Dispute Resolution and Enforcement • Choice -- Timing of Opt-Out • Travel Information • Pharmaceutical and Medical Products • Public Record and Publicly Available Information • Access Requests by Public Authorities https://www.privacyshield.gov/EU-US-Framework
Guidelines 21 by Andrey Prozorov, CISM, CIPP/E EDPB WP29 (about BCR) • Guidelines 2/2020 on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies • Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679 • Working Document Setting Forth a Co-Operation Procedure for the approval of “Binding Corporate Rules” for controllers and processors under the GDPR, WP 263 rev.01 • Recommendation on the Standard Application for Approval of Controller Binding Corporate Rules for the Transfer of Personal Data, WP 264 • Recommendation on the Standard Application form for Approval of Processor Binding Corporate Rules for the Transfer of Personal Data, WP 265 • Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules, WP 256 rev.01 • Working Document setting up a table with the elements and principles to be found in Processor Binding Corporate Rules, WP 257 rev.01
‘Binding corporate rules’ (BCRs) means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity. 22 by Andrey Prozorov, CISM, CIPP/E
Binding corporate rules (Art.47) The competent supervisory authority (SA) approves BCRs. BCRs shall specify at least: 23 by Andrey Prozorov, CISM, CIPP/E a) the structure and contact details of the group of undertakings b) the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question c) their legally binding nature, both internally and externally d) the application of the general data protection principles and the requirements in respect of onward transfers to bodies not bound by the BCRs e) the rights of data subjects f) the acceptance by the controller or processor of liability for any breaches of the BCRs g) Information about notification of the data subjects h) the tasks of DPOs i) the complaint procedures j) the mechanisms for ensuring the verification of compliance with the BCRs k) the mechanisms for reporting and recording changes l) the cooperation mechanism with the SA m) the mechanisms for reporting to the competent SA n) the appropriate data protection training to personnel
Register of approved BCRs, 27.03.2020 24 by Andrey Prozorov, CISM, CIPP/E https://edpb.europa.eu/our-work-tools/accountability-tools/bcr_en
25 by Andrey Prozorov, CISM, CIPP/E III. Transfers of personal data from Russia to third countries
152-FZ Russian Personal Data Act (152-FZ, 27.07.2006) Article 12. Cross-Border Transmission of Personal Data 26 by Andrey Prozorov, CISM, CIPP/E 3. Prior to commencing cross- border transmission of personal data, the operator [Controller] must make sure that the foreign state to which territory the personal data are transmitted provides adequate protection of the rights of personal data subjects 3. Оператор обязан убедиться в том, что иностранным государством, на территорию которого осуществляется передача персональных данных, обеспечивается адекватная защита прав субъектов персональных данных, до начала осуществления трансграничной передачи персональных данных.
Countries that provide adequate protection Parties to the Convention 108: Members of Council of Europe: Albania, Andorra, Armenia, Austria, Azerbaijan, Belgium, Bosnia and Herzegovina, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Georgia, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Monaco, Montenegro, Netherlands, North Macedonia, Norway, Poland, Portugal, Republic of Moldova, Romania, Russian Federation, San Marino, Serbia, Slovak Republic, Slovenia, Spain, Sweden, Switzerland, Turkey, Ukraine, United Kingdom Non-Members of Council of Europe: Argentina, Burkina Faso, Cabo Verde, Mauritius, Mexico, Morocco, Senegal, Tunisia, Uruguay Other (from the list): the Commonwealth of Australia, the Argentine Republic, the Gabonese Republic, the State of Israel, the State of Qatar, Canada, the Kingdom of Morocco, Malaysia, Mongolia, New Zealand, the Republic of Angola, the Republic of Benin, the Republic of Kazakhstan, the Republic of Korea, the Republic of Costa Rica, the Republic of Mali, the Republic of Peru, the Republic of Singapore, the Tunisian Republic, the Republic of Chile, the Republic of South Africa, Japan. !!! No the United States of America by Andrey Prozorov, CISM, CIPP/E 27
28 by Andrey Prozorov, CISM, CIPP/E The RKN (Roscomnadzor) approves the list of foreign states which are not parties to the Convention 108 and providing adequate protection of the rights of personal data subjects / РКН утверждает перечень иностранных государств, не являющихся сторонами Конвенции Совета Европы о защите физических лиц при автоматизированной обработке персональных данных и обеспечивающих адекватную защиту прав субъектов персональных данных. https://pd.rkn.gov.ru/press-service/subject1/news4400
29 by Andrey Prozorov, CISM, CIPP/E 4. Cross-border transmission of personal data in the territory of foreign states that do not provide adequate protection of the rights of personal data subjects may be performed in case of: 1) availability of the personal data subject’s consent given in writing; 2) provided for by international treaties of the Russian Federation 3) provided for by federal laws if it is necessary for the purposes of protecting the fundamental principles of the constitutional order of the Russian Federation, ensuring defense of the country and security of the state, as well as ensuring the security of sustainable and safe functioning of the transport complex, protection of interests of the individual, society and the state in the sphere of the transport complex from acts of unlawful interference; 4) performance of a contract the personal data subject is a party to; 5) protection of the life, health, other vital interests of the personal data subject or other persons if it is impossible to obtain the personal data subject’s consent in writing. 4. Трансграничная передача персональных данных на территории иностранных государств, не обеспечивающих адекватной защиты прав субъектов персональных данных, может осуществляться в случаях: 1) наличия согласия в письменной форме субъекта персональных данных на трансграничную передачу его персональных данных; 2) предусмотренных международными договорами Российской Федерации; 3) предусмотренных федеральными законами, если это необходимо в целях защиты основ конституционного строя РФ, обеспечения обороны страны и безопасности государства, а также обеспечения безопасности устойчивого и безопасного функционирования транспортного комплекса, защиты интересов личности, общества и государства в сфере транспортного комплекса от актов незаконного вмешательства; 4) исполнения договора, стороной которого является субъект персональных данных; 5) защиты жизни, здоровья, иных жизненно важных интересов субъекта персональных данных или других лиц при невозможности получения согласия в письменной форме субъекта персональных данных.
Thanks! Andrey Prozorov, CISM, CIPP/E prozorov.info@gmail.com My GDPR and ISMS toolkits: www.patreon.com/AndreyProzorov

Recommended

General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...
Cvent
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR
The Pathway Group
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
Extentia Information Technology
 
GDPR Introduction and overview
GDPR Introduction and overviewGDPR Introduction and overview
GDPR Introduction and overview
Jane Lambert
 
Introduction to GDPR
Introduction to GDPRIntroduction to GDPR
Introduction to GDPR
Priyab Satoshi
 
GDPR
GDPRGDPR
GDPR
Gopi PD
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
BCC - Solutions for IBM Collaboration Software
 
Data transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPRData transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPR
IT Governance Ltd
 

Recommended

General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...
Cvent
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR
The Pathway Group
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
Extentia Information Technology
 
GDPR Introduction and overview
GDPR Introduction and overviewGDPR Introduction and overview
GDPR Introduction and overview
Jane Lambert
 
Introduction to GDPR
Introduction to GDPRIntroduction to GDPR
Introduction to GDPR
Priyab Satoshi
 
GDPR
GDPRGDPR
GDPR
Gopi PD
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
BCC - Solutions for IBM Collaboration Software
 
Data transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPRData transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPR
IT Governance Ltd
 
Data protection
Data protectionData protection
Data protection
RaviPrashant5
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...
IT Governance Ltd
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysGDPR: Training Materials by Qualsys
GDPR: Training Materials by Qualsys
Qualsys Ltd
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slides
Naomi Holmes
 
GDPR Demystified
GDPR DemystifiedGDPR Demystified
GDPR Demystified
SPIN Chennai
 
Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role
HackerOne
 
General Data Protection Regulation (GDPR) Compliance
General Data Protection Regulation (GDPR) ComplianceGeneral Data Protection Regulation (GDPR) Compliance
General Data Protection Regulation (GDPR) Compliance
accenture
 
GDPR Presentation
GDPR PresentationGDPR Presentation
GDPR Presentation
CILIP Ireland
 
What about GDPR?
What about GDPR?What about GDPR?
What about GDPR?
Martin Hawksey
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
Kimberly Simon MBA
 
International Data Transfer Update
International Data Transfer UpdateInternational Data Transfer Update
International Data Transfer Update
TrustArc
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
GDPR: Data Breach Notification and Communications
GDPR: Data Breach Notification and CommunicationsGDPR: Data Breach Notification and Communications
GDPR: Data Breach Notification and Communications
Charlie Pownall
 
PDPA 2010 at office (HairulHafiz)
PDPA 2010 at office (HairulHafiz)PDPA 2010 at office (HairulHafiz)
PDPA 2010 at office (HairulHafiz)
Hairul Hafiz Hasbullah
 
GDPR infographic
GDPR infographicGDPR infographic
GDPR infographic
Marketing Team at Crown Worldwide Group
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection Regulation
Vicky Dallas
 
Personal Data Protection Act - Employee Data Privacy
Personal Data Protection Act - Employee Data PrivacyPersonal Data Protection Act - Employee Data Privacy
Personal Data Protection Act - Employee Data Privacy
legalPadmin
 
Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)
Acquia
 
skillcast-gdpr-training-presentation-q320.pptx
skillcast-gdpr-training-presentation-q320.pptxskillcast-gdpr-training-presentation-q320.pptx
skillcast-gdpr-training-presentation-q320.pptx
RahulGarg294918
 
GDPR training
GDPR training GDPR training
GDPR training
ASL
 
GDPR, Data Privacy.
GDPR, Data Privacy.GDPR, Data Privacy.
GDPR, Data Privacy.
Liviu Claudiu Cismaru
 
GDPR and eHealth for the pharma industry (VFenR presentation)
GDPR and eHealth for the pharma industry (VFenR presentation)GDPR and eHealth for the pharma industry (VFenR presentation)
GDPR and eHealth for the pharma industry (VFenR presentation)
Erik Vollebregt
 

More Related Content

What's hot

Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)
Acquia
 
skillcast-gdpr-training-presentation-q320.pptx
skillcast-gdpr-training-presentation-q320.pptxskillcast-gdpr-training-presentation-q320.pptx
skillcast-gdpr-training-presentation-q320.pptx
RahulGarg294918
 

What's hot (20)

Data protection
Data protectionData protection
Data protection
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysGDPR: Training Materials by Qualsys
GDPR: Training Materials by Qualsys
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slides
 
GDPR Demystified
GDPR DemystifiedGDPR Demystified
GDPR Demystified
 
Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role
 
General Data Protection Regulation (GDPR) Compliance
General Data Protection Regulation (GDPR) ComplianceGeneral Data Protection Regulation (GDPR) Compliance
General Data Protection Regulation (GDPR) Compliance
 
GDPR Presentation
GDPR PresentationGDPR Presentation
GDPR Presentation
 
What about GDPR?
What about GDPR?What about GDPR?
What about GDPR?
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
 
International Data Transfer Update
International Data Transfer UpdateInternational Data Transfer Update
International Data Transfer Update
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdf
 
GDPR: Data Breach Notification and Communications
GDPR: Data Breach Notification and CommunicationsGDPR: Data Breach Notification and Communications
GDPR: Data Breach Notification and Communications
 
PDPA 2010 at office (HairulHafiz)
PDPA 2010 at office (HairulHafiz)PDPA 2010 at office (HairulHafiz)
PDPA 2010 at office (HairulHafiz)
 
GDPR infographic
GDPR infographicGDPR infographic
GDPR infographic
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection Regulation
 
Personal Data Protection Act - Employee Data Privacy
Personal Data Protection Act - Employee Data PrivacyPersonal Data Protection Act - Employee Data Privacy
Personal Data Protection Act - Employee Data Privacy
 
Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)
 
skillcast-gdpr-training-presentation-q320.pptx
skillcast-gdpr-training-presentation-q320.pptxskillcast-gdpr-training-presentation-q320.pptx
skillcast-gdpr-training-presentation-q320.pptx
 
GDPR training
GDPR training GDPR training
GDPR training
 

Similar to GDPR and Personal Data Transfers 1.1.pdf

Regulation (EU) 2016_679_GDPR_Overview_June 2016
Regulation (EU) 2016_679_GDPR_Overview_June 2016Regulation (EU) 2016_679_GDPR_Overview_June 2016
Regulation (EU) 2016_679_GDPR_Overview_June 2016
John Greenwood
 
The GDPR: Common misunderstandings and lessons learned so far
The GDPR: Common misunderstandings and lessons learned so farThe GDPR: Common misunderstandings and lessons learned so far
The GDPR: Common misunderstandings and lessons learned so far
PECB
 
General Data Protection Regulation (GDPR) for Identity Architects
General Data Protection Regulation (GDPR) for Identity ArchitectsGeneral Data Protection Regulation (GDPR) for Identity Architects
General Data Protection Regulation (GDPR) for Identity Architects
WSO2
 

Similar to GDPR and Personal Data Transfers 1.1.pdf (20)

GDPR, Data Privacy.
GDPR, Data Privacy.GDPR, Data Privacy.
GDPR, Data Privacy.
 
GDPR and eHealth for the pharma industry (VFenR presentation)
GDPR and eHealth for the pharma industry (VFenR presentation)GDPR and eHealth for the pharma industry (VFenR presentation)
GDPR and eHealth for the pharma industry (VFenR presentation)
 
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
 
GDPR Overview
GDPR OverviewGDPR Overview
GDPR Overview
 
EU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketingEU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketing
 
Niall Rooney FD Event 05.09.19
Niall Rooney FD Event 05.09.19Niall Rooney FD Event 05.09.19
Niall Rooney FD Event 05.09.19
 
Employee Monitoring and Privacy.pdf
Employee Monitoring and Privacy.pdfEmployee Monitoring and Privacy.pdf
Employee Monitoring and Privacy.pdf
 
GDPR SECURITY ISSUES
GDPR SECURITY ISSUESGDPR SECURITY ISSUES
GDPR SECURITY ISSUES
 
General Data Protection Regulations (GDPR) Summary
General Data Protection Regulations (GDPR) Summary General Data Protection Regulations (GDPR) Summary
General Data Protection Regulations (GDPR) Summary
 
Regulation (EU) 2016_679_GDPR_Overview_June 2016
Regulation (EU) 2016_679_GDPR_Overview_June 2016Regulation (EU) 2016_679_GDPR_Overview_June 2016
Regulation (EU) 2016_679_GDPR_Overview_June 2016
 
The GDPR: Common misunderstandings and lessons learned so far
The GDPR: Common misunderstandings and lessons learned so farThe GDPR: Common misunderstandings and lessons learned so far
The GDPR: Common misunderstandings and lessons learned so far
 
Tech Connect Live 30th May 2018 ,GDPR Summit John Ghent
Tech Connect Live 30th May 2018 ,GDPR Summit John GhentTech Connect Live 30th May 2018 ,GDPR Summit John Ghent
Tech Connect Live 30th May 2018 ,GDPR Summit John Ghent
 
GDPR for Marketers - teaser
GDPR for Marketers - teaserGDPR for Marketers - teaser
GDPR for Marketers - teaser
 
GDPR Summary
GDPR SummaryGDPR Summary
GDPR Summary
 
EU GDPR (training)
EU GDPR (training) EU GDPR (training)
EU GDPR (training)
 
GDPR 101
GDPR 101 GDPR 101
GDPR 101
 
The General Data Protection Regulation ("GDPR")
The General Data Protection Regulation ("GDPR")The General Data Protection Regulation ("GDPR")
The General Data Protection Regulation ("GDPR")
 
Quick guide gdpr
Quick guide gdprQuick guide gdpr
Quick guide gdpr
 
Browne Jacobson - Administrative and public law - October 2017
Browne Jacobson - Administrative and public law - October 2017Browne Jacobson - Administrative and public law - October 2017
Browne Jacobson - Administrative and public law - October 2017
 
General Data Protection Regulation (GDPR) for Identity Architects
General Data Protection Regulation (GDPR) for Identity ArchitectsGeneral Data Protection Regulation (GDPR) for Identity Architects
General Data Protection Regulation (GDPR) for Identity Architects
 

More from Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001

More from Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001 (20)

NIST Cybersecurity Framework (CSF) 2.0: What has changed?
NIST Cybersecurity Framework (CSF) 2.0: What has changed?NIST Cybersecurity Framework (CSF) 2.0: What has changed?
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
 
pr ISMS Documented Information (lite).pdf
pr ISMS Documented Information (lite).pdfpr ISMS Documented Information (lite).pdf
pr ISMS Documented Information (lite).pdf
 
ISO Survey 2022: ISO 27001 certificates (ISMS)
ISO Survey 2022: ISO 27001 certificates (ISMS)ISO Survey 2022: ISO 27001 certificates (ISMS)
ISO Survey 2022: ISO 27001 certificates (ISMS)
 
12 Best Privacy Frameworks
12 Best Privacy Frameworks12 Best Privacy Frameworks
12 Best Privacy Frameworks
 
Cybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfCybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdf
 
My 15 Years of Experience in Using Mind Maps for Business and Personal Purposes
My 15 Years of Experience in Using Mind Maps for Business and Personal PurposesMy 15 Years of Experience in Using Mind Maps for Business and Personal Purposes
My 15 Years of Experience in Using Mind Maps for Business and Personal Purposes
 
From NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdfFrom NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdf
 
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdfISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
 
ISO 27001 How to accelerate the implementation.pdf
ISO 27001 How to accelerate the implementation.pdfISO 27001 How to accelerate the implementation.pdf
ISO 27001 How to accelerate the implementation.pdf
 
How to use ChatGPT for an ISMS implementation.pdf
How to use ChatGPT for an ISMS implementation.pdfHow to use ChatGPT for an ISMS implementation.pdf
How to use ChatGPT for an ISMS implementation.pdf
 
pr Privacy Principles 230405 small.pdf
pr Privacy Principles 230405 small.pdfpr Privacy Principles 230405 small.pdf
pr Privacy Principles 230405 small.pdf
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
 
ISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdf
 
ISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdf
 
ISO Survey 2021: ISO 27001.pdf
ISO Survey 2021: ISO 27001.pdfISO Survey 2021: ISO 27001.pdf
ISO Survey 2021: ISO 27001.pdf
 
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdfAll about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
 
Supply management 1.1.pdf
Supply management 1.1.pdfSupply management 1.1.pdf
Supply management 1.1.pdf
 
GDPR RACI.pdf
GDPR RACI.pdfGDPR RACI.pdf
GDPR RACI.pdf
 
GDPR EU Institutions and bodies.pdf
GDPR EU Institutions and bodies.pdfGDPR EU Institutions and bodies.pdf
GDPR EU Institutions and bodies.pdf
 

Recently uploaded

Ready Set Go Children Sermon about Mark 16:15-20
Ready Set Go Children Sermon about Mark 16:15-20Ready Set Go Children Sermon about Mark 16:15-20
Ready Set Go Children Sermon about Mark 16:15-20
rejz122017
 
Unlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven Curiosity
Unlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven CuriosityUnlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven Curiosity
Unlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven Curiosity
Hung Le
 
Call Girls Near The Byke Suraj Plaza Mumbai »¡¡ 07506202331¡¡« R.K. Mumbai
Call Girls Near The Byke Suraj Plaza Mumbai »¡¡ 07506202331¡¡« R.K. MumbaiCall Girls Near The Byke Suraj Plaza Mumbai »¡¡ 07506202331¡¡« R.K. Mumbai
Call Girls Near The Byke Suraj Plaza Mumbai »¡¡ 07506202331¡¡« R.K. Mumbai
Priya Reddy
 
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...
David Celestin
 
Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoUncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac Folorunso
Kayode Fayemi
 
Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...
Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...
Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...
ZurliaSoop
 

Recently uploaded (20)

Digital collaboration with Microsoft 365 as extension of Drupal
Digital collaboration with Microsoft 365 as extension of DrupalDigital collaboration with Microsoft 365 as extension of Drupal
Digital collaboration with Microsoft 365 as extension of Drupal
 
Ready Set Go Children Sermon about Mark 16:15-20
Ready Set Go Children Sermon about Mark 16:15-20Ready Set Go Children Sermon about Mark 16:15-20
Ready Set Go Children Sermon about Mark 16:15-20
 
Dreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video TreatmentDreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video Treatment
 
Unlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven Curiosity
Unlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven CuriosityUnlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven Curiosity
Unlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven Curiosity
 
Call Girls Near The Byke Suraj Plaza Mumbai »¡¡ 07506202331¡¡« R.K. Mumbai
Call Girls Near The Byke Suraj Plaza Mumbai »¡¡ 07506202331¡¡« R.K. MumbaiCall Girls Near The Byke Suraj Plaza Mumbai »¡¡ 07506202331¡¡« R.K. Mumbai
Call Girls Near The Byke Suraj Plaza Mumbai »¡¡ 07506202331¡¡« R.K. Mumbai
 
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...
 
Introduction to Artificial intelligence.
Introduction to Artificial intelligence.Introduction to Artificial intelligence.
Introduction to Artificial intelligence.
 
History of Morena Moshoeshoe birth death
History of Morena Moshoeshoe birth deathHistory of Morena Moshoeshoe birth death
History of Morena Moshoeshoe birth death
 
Lions New Portal from Narsimha Raju Dichpally 320D.pptx
Lions New Portal from Narsimha Raju Dichpally 320D.pptxLions New Portal from Narsimha Raju Dichpally 320D.pptx
Lions New Portal from Narsimha Raju Dichpally 320D.pptx
 
in kuwait௹+918133066128....) @abortion pills for sale in Kuwait City
in kuwait௹+918133066128....) @abortion pills for sale in Kuwait Cityin kuwait௹+918133066128....) @abortion pills for sale in Kuwait City
in kuwait௹+918133066128....) @abortion pills for sale in Kuwait City
 
SOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdf
SOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdfSOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdf
SOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdf
 
BIG DEVELOPMENTS IN LESOTHO(DAMS & MINES
BIG DEVELOPMENTS IN LESOTHO(DAMS & MINESBIG DEVELOPMENTS IN LESOTHO(DAMS & MINES
BIG DEVELOPMENTS IN LESOTHO(DAMS & MINES
 
Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoUncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac Folorunso
 
lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.
 
BEAUTIFUL PLACES TO VISIT IN LESOTHO.pptx
BEAUTIFUL PLACES TO VISIT IN LESOTHO.pptxBEAUTIFUL PLACES TO VISIT IN LESOTHO.pptx
BEAUTIFUL PLACES TO VISIT IN LESOTHO.pptx
 
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfAWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
 
LITTLE ABOUT LESOTHO FROM THE TIME MOSHOESHOE THE FIRST WAS BORN
LITTLE ABOUT LESOTHO FROM THE TIME MOSHOESHOE THE FIRST WAS BORNLITTLE ABOUT LESOTHO FROM THE TIME MOSHOESHOE THE FIRST WAS BORN
LITTLE ABOUT LESOTHO FROM THE TIME MOSHOESHOE THE FIRST WAS BORN
 
Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar Training
 
Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...
Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...
Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...
 
Zone Chairperson Role and Responsibilities New updated.pptx
Zone Chairperson Role and Responsibilities New updated.pptxZone Chairperson Role and Responsibilities New updated.pptx
Zone Chairperson Role and Responsibilities New updated.pptx
 

GDPR and Personal Data Transfers 1.1.pdf

  • 1. GDPR. Personal Data Transfers Andrey Prozorov, CISM, CIPP/E 80na20.blogspot.ru v.1.1 2020-04-06
  • 2. Agenda I. General requirements • GDPR • The contract • Article 88 Processing in the context of employment II. International transfers • Comments by ISO (UK) • Basis for data transfers from the EU • Notification of the Data Subject • Adequacy decisions • Privacy Shield • Guidelines (EDPB and WP29) • Binding corporate rules III. Transfers of personal data from Russia to third countries 2 by Andrey Prozorov, CISM, CIPP/E
  • 3. 3 by Andrey Prozorov, CISM, CIPP/E I. General requirements
  • 4. GDPR 4 by Andrey Prozorov, CISM, CIPP/E Main requirements Cross-border processing • Article 24 Responsibility of the controller • Article 26 Joint controllers • Article 27 Representatives of controllers or processors not established in the Union • Article 28 Processor • Article 88 Processing in the context of employment • Article 13 Information to be provided where personal data are collected from the data subject • Article 14 Information to be provided where personal data have not been obtained from the data subject • Article 15 Right of access by the data subject • Article 30 Records of processing activities CHAPTER V. Transfers of personal data to third countries or international organisations • Article 44 General principles for transfers of personal data • Article 45 Transfers on the basis of an adequacy decision • Article 46 Transfers subject to appropriate safeguards • Article 47 Binding corporate rules • Article 48 Transfers or disclosures not authorised by Union law • Article 49 Derogations for specific situations • Article 50 International cooperation for the protection of personal data
  • 5. The contract Data controllers in the EU are always required to enter into a contract when a transfer is made for processing purposes only, whether the processing operation is carried out inside or outside the EU, and whether or not the processor participates in the Privacy Shield. The purpose of the contract is to make sure that the processor: • acts only on instructions from the controller; • provides appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and understands whether onward transfer is allowed; and • taking into account the nature of the processing, assists the controller in responding to individuals exercising their right to access their personal data. 5 by Andrey Prozorov, CISM, CIPP/E
  • 6. GDPR Article 28 Processor • 1.Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject. • 2.The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes. • 3.Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. … 6 by Andrey Prozorov, CISM, CIPP/E
  • 7. The contract (by Art.28 3) That contract or other legal act shall stipulate, in particular, that the processor: • processes the personal data only on documented instructions from the controller • ensures that persons authorised to process the personal data have committed themselves to confidentiality • takes all measures required pursuant to Article 32 (Security of processing) • respects the conditions referred to in paragraphs 2 and 4 for engaging another processor • assists the controller by appropriate technical and organisational measures, helps to respond to requests for exercising the data subject's rights • assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 (Security of personal data: Security of processing, Breach notification, DPIA and prior consultation) • at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing • makes available to the controller all information necessary to demonstrate compliance with the obligations (e.g. external audits) 7 by Andrey Prozorov, CISM, CIPP/E
  • 8. Analyse and revise your contracts This contract must define: q the subject-matter and duration of the service you are carrying out on your client's behalf q the nature and purposes of the processing q the type of personal data that you are processing on your client's behalf q the categories of data subjects q the obligations and rights of your client as the controller q your obligations as the processor as set out in Article 28 of the GDPR 8 by Andrey Prozorov, CISM, CIPP/E General Data Protection Regulation: a guide to assist processors (by CNIL)
  • 9. 9 by Andrey Prozorov, CISM, CIPP/E General Data Protection Regulation: a guide to assist processors (by CNIL)
  • 10. Article 88 Processing in the context of employment 1.Member States may, by law or by collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees' personal data in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, protection of employer's or customer's property and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship. 2.Those rules shall include suitable and specific measures to safeguard the data subject's human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity and monitoring systems at the work place. 10 by Andrey Prozorov, CISM, CIPP/E Other
  • 11. 11 by Andrey Prozorov, CISM, CIPP/E II. International transfers
  • 12. Comments by ISO (UK) • The GDPR primarily applies to controllers and processors located in the European Economic Area (the EEA) with some exceptions. • Individuals risk losing the protection of the GDPR if their personal data is transferred outside of the EEA. • On that basis, the GDPR restricts transfers of personal data outside the EEA, or the protection of the GDPR, unless the rights of the individuals in respect of their personal data is protected in another way, or one of a limited number of exceptions applies. • A transfer of personal data outside the protection of the GDPR (which we refer to as a ‘restricted transfer’), most often involves a transfer from inside the EEA to a country outside the EEA. • Other comments - https://ico.org.uk/for-organisations/guide-to-data- protection/guide-to-the-general-data-protection-regulation- gdpr/international-transfers 12 by Andrey Prozorov, CISM, CIPP/E
  • 13. Basis for data transfers from the EU 1. Transfers on the basis of an adequacy decision (Art.45) • By the European Commission • Such a transfer shall not require any specific authorisation 2. Transfers subject to appropriate safeguards (Art.46) The appropriate safeguard: • a legally binding and enforceable instrument between public authorities or bodies • binding corporate rules (BCR) • standard data protection clauses adopted by the Commission: • standard data protection clauses adopted by a supervisory authority and approved by the Commission • an approved code of conduct (binding and enforceable commitments)… • an approved certification mechanism (binding and enforceable commitments)… 3. Derogations for specific situations (Art.49)… 13 by Andrey Prozorov, CISM, CIPP/E
  • 14. Derogations for specific situations 3. In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions: a) the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person d) the transfer is necessary for important reasons of public interest e) the transfer is necessary for the establishment, exercise or defence of legal claims f) the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent g) the transfer is made from a register which according to Union or Member State law is intended to provide information to the public… 14 by Andrey Prozorov, CISM, CIPP/E
  • 15. 15 by Andrey Prozorov, CISM, CIPP/E
  • 16. About the consent 1. Consent must be explicit 2. Consent must be specific for the particular data transfer/set of transfers 3. Consent must be informed particularly as to the possible risks of the transfer 16 by Andrey Prozorov, CISM, CIPP/E Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679
  • 17. Notification of the Data Subject q 1. The fact that the controller intends to transfer personal data to a third country or international organisation q 2. The existence or absence of an adequacy decision by the Commission 3. Reference to the appropriate or suitable safeguards* 4. The possible risks* q 5. The means by which to obtain a copy of personal data or where they have been made available 17 by Andrey Prozorov, CISM, CIPP/E GDPR Article 13 Information to be provided where personal data are collected from the data subject, 1 f) GDPR Article 14 Information to be provided where personal data have not been obtained from the data subject, 1 f) GDPR Article Article 15 Right of access by the data subject, 2 Article 30 Records of processing activities, 1 e) Article 49 Derogations for specific situations, 1 a) * - if applicable
  • 18. Adequacy decisions How the EU determines if a non-EU country has an adequate level of data protection. • The European Commission has the power to determine, on the basis of article 45 of Regulation (EU) 2016/679 whether a country outside the EU offers an adequate level of data protection. • The effect of such a decision is that personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary. In others words, transfers to the country in question will be assimilated to intra-EU transmissions of data. • The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (limited to the Privacy Shield framework) as providing adequate protection. • Adequacy talks are ongoing with South Korea. 18 by Andrey Prozorov, CISM, CIPP/E https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en#relatedlinks
  • 19. Privacy Shield The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce. • Self-Certification • 5287 Total Organizations (27.03.2020) • Privacy Shield List - www.privacyshield.gov/list 19 by Andrey Prozorov, CISM, CIPP/E
  • 20. Privacy Shield Framework 20 by Andrey Prozorov, CISM, CIPP/E Privacy Shield Principles Privacy Shield Supplemental Principles • Notice • Choice • Accountability for Onward Transfer • Security • Data Integrity and Purpose Limitation • Access • Recourse, Enforcement, and Liability • Sensitive Data • Journalistic Exceptions • Secondary Liability • Performing Due Diligence and Conducting Audits • The Role of the Data Protection Authorities • Access • Self-Certification • Verification • Human Resources Data • Obligatory Contracts for Onward Transfers • Dispute Resolution and Enforcement • Choice -- Timing of Opt-Out • Travel Information • Pharmaceutical and Medical Products • Public Record and Publicly Available Information • Access Requests by Public Authorities https://www.privacyshield.gov/EU-US-Framework
  • 21. Guidelines 21 by Andrey Prozorov, CISM, CIPP/E EDPB WP29 (about BCR) • Guidelines 2/2020 on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies • Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679 • Working Document Setting Forth a Co-Operation Procedure for the approval of “Binding Corporate Rules” for controllers and processors under the GDPR, WP 263 rev.01 • Recommendation on the Standard Application for Approval of Controller Binding Corporate Rules for the Transfer of Personal Data, WP 264 • Recommendation on the Standard Application form for Approval of Processor Binding Corporate Rules for the Transfer of Personal Data, WP 265 • Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules, WP 256 rev.01 • Working Document setting up a table with the elements and principles to be found in Processor Binding Corporate Rules, WP 257 rev.01
  • 22. ‘Binding corporate rules’ (BCRs) means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity. 22 by Andrey Prozorov, CISM, CIPP/E
  • 23. Binding corporate rules (Art.47) The competent supervisory authority (SA) approves BCRs. BCRs shall specify at least: 23 by Andrey Prozorov, CISM, CIPP/E a) the structure and contact details of the group of undertakings b) the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question c) their legally binding nature, both internally and externally d) the application of the general data protection principles and the requirements in respect of onward transfers to bodies not bound by the BCRs e) the rights of data subjects f) the acceptance by the controller or processor of liability for any breaches of the BCRs g) Information about notification of the data subjects h) the tasks of DPOs i) the complaint procedures j) the mechanisms for ensuring the verification of compliance with the BCRs k) the mechanisms for reporting and recording changes l) the cooperation mechanism with the SA m) the mechanisms for reporting to the competent SA n) the appropriate data protection training to personnel
  • 24. Register of approved BCRs, 27.03.2020 24 by Andrey Prozorov, CISM, CIPP/E https://edpb.europa.eu/our-work-tools/accountability-tools/bcr_en
  • 25. 25 by Andrey Prozorov, CISM, CIPP/E III. Transfers of personal data from Russia to third countries
  • 26. 152-FZ Russian Personal Data Act (152-FZ, 27.07.2006) Article 12. Cross-Border Transmission of Personal Data 26 by Andrey Prozorov, CISM, CIPP/E 3. Prior to commencing cross- border transmission of personal data, the operator [Controller] must make sure that the foreign state to which territory the personal data are transmitted provides adequate protection of the rights of personal data subjects 3. Оператор обязан убедиться в том, что иностранным государством, на территорию которого осуществляется передача персональных данных, обеспечивается адекватная защита прав субъектов персональных данных, до начала осуществления трансграничной передачи персональных данных.
  • 27. Countries that provide adequate protection Parties to the Convention 108: Members of Council of Europe: Albania, Andorra, Armenia, Austria, Azerbaijan, Belgium, Bosnia and Herzegovina, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Georgia, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Monaco, Montenegro, Netherlands, North Macedonia, Norway, Poland, Portugal, Republic of Moldova, Romania, Russian Federation, San Marino, Serbia, Slovak Republic, Slovenia, Spain, Sweden, Switzerland, Turkey, Ukraine, United Kingdom Non-Members of Council of Europe: Argentina, Burkina Faso, Cabo Verde, Mauritius, Mexico, Morocco, Senegal, Tunisia, Uruguay Other (from the list): the Commonwealth of Australia, the Argentine Republic, the Gabonese Republic, the State of Israel, the State of Qatar, Canada, the Kingdom of Morocco, Malaysia, Mongolia, New Zealand, the Republic of Angola, the Republic of Benin, the Republic of Kazakhstan, the Republic of Korea, the Republic of Costa Rica, the Republic of Mali, the Republic of Peru, the Republic of Singapore, the Tunisian Republic, the Republic of Chile, the Republic of South Africa, Japan. !!! No the United States of America by Andrey Prozorov, CISM, CIPP/E 27
  • 28. 28 by Andrey Prozorov, CISM, CIPP/E The RKN (Roscomnadzor) approves the list of foreign states which are not parties to the Convention 108 and providing adequate protection of the rights of personal data subjects / РКН утверждает перечень иностранных государств, не являющихся сторонами Конвенции Совета Европы о защите физических лиц при автоматизированной обработке персональных данных и обеспечивающих адекватную защиту прав субъектов персональных данных. https://pd.rkn.gov.ru/press-service/subject1/news4400
  • 29. 29 by Andrey Prozorov, CISM, CIPP/E 4. Cross-border transmission of personal data in the territory of foreign states that do not provide adequate protection of the rights of personal data subjects may be performed in case of: 1) availability of the personal data subject’s consent given in writing; 2) provided for by international treaties of the Russian Federation 3) provided for by federal laws if it is necessary for the purposes of protecting the fundamental principles of the constitutional order of the Russian Federation, ensuring defense of the country and security of the state, as well as ensuring the security of sustainable and safe functioning of the transport complex, protection of interests of the individual, society and the state in the sphere of the transport complex from acts of unlawful interference; 4) performance of a contract the personal data subject is a party to; 5) protection of the life, health, other vital interests of the personal data subject or other persons if it is impossible to obtain the personal data subject’s consent in writing. 4. Трансграничная передача персональных данных на территории иностранных государств, не обеспечивающих адекватной защиты прав субъектов персональных данных, может осуществляться в случаях: 1) наличия согласия в письменной форме субъекта персональных данных на трансграничную передачу его персональных данных; 2) предусмотренных международными договорами Российской Федерации; 3) предусмотренных федеральными законами, если это необходимо в целях защиты основ конституционного строя РФ, обеспечения обороны страны и безопасности государства, а также обеспечения безопасности устойчивого и безопасного функционирования транспортного комплекса, защиты интересов личности, общества и государства в сфере транспортного комплекса от актов незаконного вмешательства; 4) исполнения договора, стороной которого является субъект персональных данных; 5) защиты жизни, здоровья, иных жизненно важных интересов субъекта персональных данных или других лиц при невозможности получения согласия в письменной форме субъекта персональных данных.
  • 30. Thanks! Andrey Prozorov, CISM, CIPP/E prozorov.info@gmail.com My GDPR and ISMS toolkits: www.patreon.com/AndreyProzorov