GDPR
“Requirements for processing personal data”
By:
- Steffi Besselink��European GDPR and Contract Lawyer (LL.M)�Data Protection Officer (DPO)
Provided for:
/steffibesselink
Scope
Data types: personal data, pseudonymised data, anonymised data
Data use: what is legal data use
How to assure data subject rights
What is considered secure data
When is an event a personal data breach
Can I share data
Freebies…
Agenda
Scope
European Data Protection Law
Every European Union Country has a Data Protection enforcement office to monitor GDPR compliance (and can pose fines)
Protecting personal data from individuals in EU
Rules apply to every citizen and company who process data from citizens in EU
Regardless of other laws: GDPR applies to ALL personal data
Territorial scope: GDPR applies when companies data processing activities have a direct link with the European Market
Material scope: GDPR applies when it is about personal data
GDPR rules apply
GDPR rules �do not apply
Scope
- Examples
Data types
- Personal data
Personal Data
All data related to a person:
Special category
�
Data types
Personal Data
All data related to a person:
Data types
GDPR rules and obligations
Direct Indirect Pseudonymised Anonymised�identifiers identifiers data data
No GDPR data:
There is no link with the individual anymore
Pseudonymisation: �
Data types
Pseudonymisation techniques: �
Personal data
Encryption with secret key
Hash functions
Tokenization
Data types
Anonymous Data
Case study
Case: Avas UOOU-01025/20-121�Fine: 13,5 million, 2024
Data use
Art. 5, GDPR: Compliance Principles
Most fines:
Data use
Case study
Case: Amazon SAN-2023-021�Fine: 32 million, 2023
Controller
The Company or Person deciding the purpose and means.
The Company or Person acting
on behalf of the Controller.
Processor
Contract
Purpose
Legal basis
Communication
What was the original purpose of the collected data?
Does the activity flow from the original purpose? Is the data anonymous?
Are the data subjects aware of the activities?
Controller
Processor
Purpose of Controller
What were your instructions?
Communication
How is the data used?
Changing purpose
Processing and
further processing
Case study
Case: Hospital in Italy 9529527�Fine: €100,000 2021
Right to access
Right to data portability
Right to rectification
Right to not provide data to automated decision-making tools
Right to erasure (“to be forgotten”)
Right to be informed
Right to restrict or object processing
Data subjects
Data subjects
Data Security
Systems
Users
Data
What type of data is being processed, on what legal basis and for what purpose?
What is the risk of re-identification of an individual, e.g. via linking a data set?
Who can access the data? How strong are access measures?
Where is the data stored and with who is it shared?
Has a Data Protection Impact Assessment (DPIA) been performed?
What is objectively the risk for a pseudonymisation key to be hacked?
What is objectively the risk for data to be accessed, lost, or modified unauthorised
Risk preparation
Event response
Data Sharing
Internal governance
EEA + Adequacy decision
Other
locations
Access given, based on need-to-know
Data Breach
Red flags
Data Controller
Data Processor
RECAP
Data can be processed (legally) when there is a legal basis
Data subjects should be informed of these activities and notified of changes.
Data should be secured with technical and organisational security measures
Busness activities should have a risk assessment, and an incident procedure
You won’t be fined for a data breach.
You are fined for lack of preparedness and response.
How to demonstrate compliance?
linkedin.com/in/steffibesselink
This Webinar was provided for:
GDPR: Freebies