1 of 24

GDPR

“Requirements for processing personal data”

By:

- Steffi Besselink��European GDPR and Contract Lawyer (LL.M)�Data Protection Officer (DPO)

Provided for:

/steffibesselink

2 of 24

Scope

Data types: personal data, pseudonymised data, anonymised data

Data use: what is legal data use

How to assure data subject rights

What is considered secure data

When is an event a personal data breach

Can I share data

Freebies…

Agenda

3 of 24

Scope

European Data Protection Law

Every European Union Country has a Data Protection enforcement office to monitor GDPR compliance (and can pose fines)

Protecting personal data from individuals in EU

Rules apply to every citizen and company who process data from citizens in EU

Regardless of other laws: GDPR applies to ALL personal data

Territorial scope: GDPR applies when companies data processing activities have a direct link with the European Market

Material scope: GDPR applies when it is about personal data

4 of 24

GDPR rules apply

GDPR rules �do not apply

  • A US-based company collects personal information from European customers in the US.
  • A Berlin-based company provides marketing services for hotels in Florida. It does not provide services in EU.
  • A US-based company collects personal information from European customers in the EU.
  • A Berlin-based company provides marketing services for hotels in Florida, Barcelona, and India.

Scope

- Examples

5 of 24

  1. Direct identifiers�- email�- name�- Bank card numbers�- Medical record numbers�
  2. Indirect identifiers�- Age / DOB�- Address �- Sex �- Online preferences

Data types

- Personal data

Personal Data

All data related to a person:

  • Direct identifiers
  • Indirect identifiers
  • Pseudonymised data

6 of 24

Special category

  1. Prohibited, unless… �
  2. Subject to additional security measures

    • Race / ethnicity
    • Political opinions
    • Religious or philosophical beliefs
    • Trade union membership
    • Genetic data
    • Biometric data for identification
    • data related to health
    • Sexual orientation / sex life

Data types

  • Personal data:
    • Special category

Personal Data

All data related to a person:

  • Direct identifiers
  • Indirect identifiers
  • Pseudonymised data

7 of 24

Data types

  • Personal data:
    • pseudonymized

GDPR rules and obligations

Direct Indirect Pseudonymised Anonymised�identifiers identifiers data data

No GDPR data:

There is no link with the individual anymore

Pseudonymisation: �

  • Individual is not directly identifiable
  • Security measure to protect individuals from being instantly identified.

8 of 24

Data types

  • Personal data:
    • pseudonymized

Pseudonymisation techniques: �

  1. Is the purpose to pseudonymise (secure data) or anonymise (use and share)
  2. What are the strengths and weaknesses of your choice?
  3. How can you protect the weak points?

Personal data

Encryption with secret key

Hash functions

Tokenization

9 of 24

Data types

  • Personal data:
    • anonymised

Anonymous Data

  • Deletion of secret keys
  • No re-identification possible when linked with other datasets.
  • Based on the current state of the art techniques
  • Assessment is objective, not based on ”but we do not know who it is.”
  • Aggregated data, e.g. website visitors, COUNT, SUM, etc.

10 of 24

Case study

  • Avas sold anti-virus and browser add-ons
  • Avas analysed browser trends and sold these forecasts to third party in the US
  • Data followed US-patented anonymisation techniques where all identifiers were removed
  • Authorities argued that anonymisation was not tested, and in fact did not comply with GDPR requirements. When linked with another dataset, the individual could be re-identified.
  • The average user did not expect analyses to be sold to third parties as result of a browser add-on.

Case: Avas UOOU-01025/20-121�Fine: 13,5 million, 2024

11 of 24

Data use

  • Compliance
  • Lawfulness, fairness, transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and Confidentiality
  • Accountability

Art. 5, GDPR: Compliance Principles

  1. Legal data access and use
  2. Data subject rights
  3. Demonstrated security

Most fines:

12 of 24

Data use

  • Legal basis

  1. Consent
    • A person consents to receive newsletters
    • A person consents unambiguously and transparenty that you transfer the data with a US-based company.
  2. Contract
    • A company wishes you to give data insights, from data they have collected via consent, and to provide analysis results.
  3. Legal obligation
    • Based on the law, you must keep customer records for #years, to prove you have obtained money for a legal service or product.
  4. Vital interest
    • You have given name and symptoms of your employee to the hospital because the person has difficulty breathing.
  5. Public interest
    • Journalists have exposed details about a company for public interest.
  6. Legitimate interest
    • A company has a legitimate reason to send out a marketing campaign to customers who are reasonably interested in their product.

13 of 24

Case study

  • Amazon had the legitimate interest to monitor employees’ performance.
  • Employees were equipped with a scanner that would identify them, receive instructions and reported about their tasks.
  • Inactivity was reported in real time. Indicators were stored for 31 days and weekly performance reports were written up.
  • They also installed video surveillance, which was done without legitimate assessment to weigh the necessity and proportionality against data subjects rights.
  • The measures were too intrusive for the employees.

Case: Amazon SAN-2023-021�Fine: 32 million, 2023

14 of 24

  • Act on behalf of Controller
  • Act within scope of contract
  • Must prove security measures are appropriate
  • Must immediately inform Controller if there is a data breach
  • Must refer any received data subject right requests to the Controller

Controller

The Company or Person deciding the purpose and means.

The Company or Person acting

on behalf of the Controller.

Processor

  • Can use data within scope of consent or contract
  • Must establish scope of legitimate interest (e.g. internal development) and inform data subjects of this processing
  • Must determine the scope of security measures
  • Must notify data breaches to authorities and data subjects
  • Must answer data subject right requests.

Contract

15 of 24

Purpose

Legal basis

Communication

What was the original purpose of the collected data?

Does the activity flow from the original purpose? Is the data anonymous?

Are the data subjects aware of the activities?

Controller

Processor

Purpose of Controller

What were your instructions?

Communication

How is the data used?

Changing purpose

  • Re-ask consent
  • Anonymization

Processing and

further processing

16 of 24

Case study

  • The hospital hired a data managing warehouse ‘Estar’ as a data processor to make data available via a ‘data mart’.
  • The hospital asked doctors to fill in an Excel with names and pathologies related to specific diseases. Doctor would ask consent, then fill in the file, embed it in a password zip, and shared with district physicians via a USB drive.
  • Estar was managing the data in a warehouse, and via a ’data mart’, showing only pseudonymised data, using an existing regional identifier.
  • Authorities said the activities lacked a DPIA risk assessment, security measures, retetion periods, information to data subject, and a clear data processor / controller framework with Estar.

Case: Hospital in Italy 9529527�Fine: €100,000 2021

17 of 24

Right to access

Right to data portability

Right to rectification

Right to not provide data to automated decision-making tools

Right to erasure (“to be forgotten”)

Right to be informed

Right to restrict or object processing

Data subjects

18 of 24

Data subjects

  1. Mention all rights
  2. Explain which rights cannot be executed
  3. Explain your role (data controller / processor)
  4. Add at all times that data subjects have the right to lodge a complaint with the supervisory authorities
  5. Always reply to any data protection right request within 30 business days.

19 of 24

Data Security

  • Technical and Organisational Security Measures

  • Firewalls / Virus protection
  • Domain / network control and monitoring
  • Backups, Archiving systems, retention
  • Access logs

  • Need-to-know access
  • Multi-factor authentication
  • Remote working locations monitoring
  • Policies and training

  • Encryption
  • Pseudonymisation
  • Data storage and location

Systems

Users

Data

20 of 24

What type of data is being processed, on what legal basis and for what purpose?

What is the risk of re-identification of an individual, e.g. via linking a data set?

Who can access the data? How strong are access measures?

Where is the data stored and with who is it shared?

Has a Data Protection Impact Assessment (DPIA) been performed?

What is objectively the risk for a pseudonymisation key to be hacked?

What is objectively the risk for data to be accessed, lost, or modified unauthorised

Risk preparation

Event response

21 of 24

Data Sharing

Internal governance

EEA + Adequacy decision

Other

locations

Access given, based on need-to-know

  • DPA (Data Processing Agreement)
  • (Unless other sharing forms are in place)
  • DPIA + SCC contract
  • Other forms, if possible, by GDPR

22 of 24

Data Breach

Red flags

Data Controller

Data Processor

  • Reports to Authorities�within 72 hours
  • Notifies data subjects
  • Reports to data controller

  • Cyber security hacks
  • Data is lost and no back-up is available
  • A customer receies the purchasing statement from another customer
  • A flaw in the code of website hosting company led to all users being able, for a temporary time, to access all other user accounts.

23 of 24

RECAP

Data can be processed (legally) when there is a legal basis

Data subjects should be informed of these activities and notified of changes.

Data should be secured with technical and organisational security measures

Busness activities should have a risk assessment, and an incident procedure

You won’t be fined for a data breach.

You are fined for lack of preparedness and response.

How to demonstrate compliance?

  • Documentation, reports, assessments, etc.

24 of 24

  1. Checklist: GDPR Compliance
  2. Template: Personal data assessment
  3. Template: Pseudonymisation assessment
  4. Checklist: Security measures

linkedin.com/in/steffibesselink

This Webinar was provided for:

GDPR: Freebies