1 / 24

GDPR Related Laws and Provisions: Understanding the Slides

This presentation provides an overview of GDPR-related laws and special provisions, including their implications for various sectors such as law enforcement, marketing, telecommunication, and healthcare. The slides are color-coded to indicate their importance and can be adapted to suit your audience.

lemons
Download Presentation

GDPR Related Laws and Provisions: Understanding the Slides

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Topic 11 - It’s not just the GDPR - GDPR related laws and special provisions

  2. How to Read The Slides’ Colour Frames [Remove Before Delivering] Green – Is a basic slide: we encourage you to keep it Yellow – is a medium level slide: it is important, but does not jeopardise effectiveness if removed Red – is an advanced slide: consider adapting it to your audience, preparing your audience for it, or removing it if you deem it unnecessary Purple – advised adaptation: this slide should contain information regarding the national legislation complementing the EU Regulations; if the content regards a different Member State, we advise you replace it with the national, relevant content

  3. Speaker Name Title Department Contact details

  4. Outline: • Welcome and introduction • objectives • EU legalframeworkrespectingdataproection • lawenforcement and forensicactivities • service sector • marketing industries • telecommunication • e-commerce • employment • education • Healthcare • socialmedia • Q & A • Wrap-up and feedback

  5. EU Legalframeworkrespectingdataprotection Recent applicable framework • Directive 2016/680/EU • Regulation (EU) 2016/679 • Directive 2002/58/EC • Consumer Rights Directive 2011/83/EU (principles stemming from Directive 97/7/EC with Directive 85/577, 93/13 and 1999/44) • Unfair Terms Directive 93/13/EC • eCommerce Directive 2000/31/EC • Consumer Sales Directive 1999/44/EC • Directive 2002/709/EC on distance selling of financial services to consumers • Directive 2002/65/EC onthe distance marketing of consumer financial services and amending Council Directive 90/619/EEC and Directives 97/7/EC and 98/27/EC  Future framework- a central element of the Digital Single Market strategy • The European Commission's proposal for a Regulation on Privacy and Electronic Communications • European ElectronicCommunicationsCode • Proposal for a Directive on certain aspects concerning contracts for the supply of digital content • Proposal for a Directive on certain aspects concerning contracts for the online sales of (tangible) goods • Proposal for ePrivacy Regulation • Geoblocking Regulation Titel van dia

  6. Law enforcement and forensic activities

  7. The Law EnforcementDirective – Part I • Principles of dataprocessing • lawful and fair • for specified, explicit and legitimate purposes • adequate, relevant and not excessive • accurate • permittingidentification of data subjects for no longer than is necessary • ensuringappropriate security of the personal data • Scope and aim of theDirective • applies to the processing of personal data by competent authorities for the purposes of • the prevention, • investigation, • detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security

  8. The Law EnforcementDirective – Part II 1. Member States shall provide for the controller, where applicable and as far as possible, to make a clear distinction between personal data of different categories of data subjects, such as • serious grounds for believing that they have committed or are about to commit a criminal offence • convicted of a criminal offence • victims of a criminal offence • other parties to a criminal offence, such as persons who might be called on to testify in investigations in connection with criminal offences

  9. Specificprocessingconditions 1.   Personal data collected by competent authorities for the purposes set out in Article 1(1) shall not be processed for purposes other than those set out in Article 1(1) unless such processing is authorised by Union or Member State law. Where personal data are processed for such other purposes, Regulation (EU) 2016/679 shall apply unless the processing is carried out in an activity which falls outside the scope of Union law. 2.   Where competent authorities are entrusted by Member State law with the performance of tasks other than those performed for the purposes set out in Article 1(1), Regulation (EU) 2016/679 shall apply to processing for such purposes, including for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, unless the processing is carried out in an activity which falls outside the scope of Union law. 3.   Member States shall, where Union or Member State law applicable to the transmitting competent authority provides specific conditions for processing, provide for the transmitting competent authority to inform the recipient of such personal data of those conditions and the requirement to comply with them. 4.   Member States shall provide for the transmitting competent authority not to apply conditions pursuant to paragraph 3 to recipients in other Member States or to agencies, offices and bodies established pursuant to Chapters 4 and 5 of Title V of the TFEU other than those applicable to similar transmissions of data within the Member State of the transmitting competent authority.

  10. Rights of thedatasubject – part I • Informationrelating to processing to the data subject must be givenin a concise, intelligible and easily accessible form, using clear and plain language • Information must be giventothedatasubjecton • The datacontroller • The purpose and legalbasis of theprocessing • The right tolodge a complaint • MSsmayadoptlegislationtodelay, restrictoromitinformationgiventothedatasubjectinorderto • protectpublic and nationalsecurityandtherightsandfreedoms of others • avoid obstructing official or legal inquiries, investigations or proceduresoravoidprejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties

  11. Rights of thedatasubject – part II • Right of accesstoinformationon • Purposes and legalbasis of processing • Categories of dataprocessed • The recipientstowhomthepersonaldate is disclosed • Lodge a complaint • Limitations of right toaccessinformation • protectpublic and nationalsecurityandtherightsandfreedoms of others • avoid obstructing official or legal inquiries, investigations or proceduresoravoidprejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties • Right to rectification or erasure of personal data and restriction of processing • where processing infringes the provisions adopted pursuant to Article 4, 8 or 10 • Restrictioninstead of erasure • Writtenreasoning of refusaloferasure is needed • Limitations of therifgttoerasure

  12. Security of personaldata – databreach appropriate technical and organisational measures must be implementedbythecontrollerto ensure a level of security appropriate to the risk in the case of a personal data breach, thecontroller must notify thesupervisoryauthoritywithout undue delay and, where feasible, not later than 72 hours after having become aware of it where the personal data breach is likely to result in a high risk to the rights and freedoms of natural personsthecontroller must notifythedatasubjects

  13. DPO and DPA underthe LED • DPO • Designation, position and tasks • DPA • Independence, members, establishment • Competence, tasks and powers • Similarities and differencescomparedtothe GDPR

  14. Service sector • Banking • Marketing industries • Telecommunication • Online services • E-commerce

  15. Informationduties in the service sectoriallegislation 1. Principlesforprovidinginformation • clearcommunication, identifiableconditions, accessibledata of the service provider, therighttoidentify and correctdata, etc • examples • Distance Contracts Directive, Article 4 and 5 • eCommerce Directive 2000/31/EC, Article 5, 6 and 10 • Consumer Rights Directive, Article 6 and 8 2. How to apply appropriate information duties? Consider three categories: • General information duties, which apply in business to business relations and business to consumer relations; • B2C information duties, which only apply to business to consumer relations; and • B2B information duties with regard to online-contracting, which apply to business to business relations as well as B2C.

  16. Privacy and electroniccommunication(Directive on privacy and electronic communications) 1. The scope and aim of theDirective • The directiverequiresMemberStatestoensuretherights and freedoms of naturalpersonswithregardtotheprocessing of personaldata, and in particulartheirrighttoprivacy • The directiveharmonisestheprovisions of theMemberStatesfortherighttoprivacy 2. Servicesconcerned • The Directiveshallapplytotheprocessing of personaldata in connectionwiththeprovision of publiclyavailableelectroniccommunicationsservices in publiccommunicationsnetworks in theCommunity 3. Areasthattheprovisions of theDirectiveconcerns • Security of theservicesprovidedelectronically • Confidentiality of thecommunications • Electroniccommunicationsnetworks • Electroniccontracts • The use of cookies • Marketing acitivities • Customer relationship management • The righttoprivacy of subscriberstoelectroniccommunicationsservices • Locationdataotherthantrafficdata

  17. InformationsocietyservicesApplicablelegalframework: The eCommerceDirective • The scope and aim of theDirective • The directiveontributes to the proper functioning of the internal market by ensuring the free movement of information society services between the Member States 2. Informationrequirements • General information to be provided (Article 5 of theDirective): data of the service provider • Informationto be provided (Article 6 of theDirective): conditionsthatthatcommercialcommunicationsshallcomply • Informationto be provided (Article 10 of thDirective): information shall given by the service provider clearly, comprehensibly and unambiguously and prior to the order being placed by the recipient of the service

  18. Employment, education & scienceand healthcare

  19. Employment Employees’ data processing • Defining legitimate ground • Recruitment • Workplace monitoring (i.e., relating to time and attendance, video monitoring systems, location) • ICT usage at the workplace (including BYOD) • ICT usage outside the workplace • Specific employment context of a Member State • Practical example: processing of employee personal data when using company vehicles • CouncilDirectiveon an employer's obligation to inform employees of the conditions applicable to the contract or employment relationship?

  20. Defining legitimate ground Data protection principles apply, irrespective of technology used Purpose limitation, proportionality and subsidiarity Subordination of the employee  to the employer Effective information about the monitoring, e.g., workplace monitoring policy, data protection policy, data classification policy, data handling guidelines, whistleblowers policy, and data breach policy Titel van dia

  21. Education and science • Education • What is personaldataintheeducation? • Specificconditions of processingpersonaldatainschools • Rights of thechildren - Convention on the Rights of the Child • Science • Protection of personaldataofparticipantsofscientificstudies • Who is a datacontroller / processorinascientificresearchorstudy? • Consentinthescientificpurposedataprocessing • Specificdatainscience (i.e. medicalresearch, geneticdata)

  22. Healthcare • The GDPR considershealthcaredataas a specialcategory of data • EU legalframeworkconcerninghealthcare and dataprotection • Directive 2011/24/EU of the European Parliament and of theCouncilon the application of patients’ rights in cross-border healthcare • Clinical trials Regulation (RegulationEU No 536/2014) • The Digital Health Society Declaration • Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection regulation (GDPR) (art. 70.1.b)

  23. Evaluation and feedback Evaluation forms Attendance sheet

  24. Credits These training materials are based on standard training materials developed in the context of the project “Supporting Training Activities on the Data Protection Reform” – STAR (http://www.project-star.eu/). This project has received funding from the European Union under the REC Action Grant programme. Grant Agreement No 769138 (2017-2019). The default version of training materials are available free-of-charge on the STAR project website

More Related