Download
1 / 15
150 likes | 159 Views
Learn about data mapping and record of processing activities, and how they relate to the rights of individuals under the GDPR. Gain knowledge on creating a data map and record of processing, and understand the obligations for maintaining these records. Explore the rights of individuals and the importance of accountability in data protection. Suitable for organizations subject to GDPR requirements.
E N D
Session 4: Data Mapping and Data Subject Rights Tash Whitaker, Whitaker Solutions Ltd Facilitator: Sylvia Gillpatrick, CEESA Table leaders/ Panel: Cosimo Monda, ECPC Mark Orchison, 9ine John Mikton, Luxembourg Chris Vincent, ISZL Peter Murphy, International School of Vienna Jenny-Lee Moore, ISB
Data Mapping and Record of Processing • Who needs one and why? • What exactly is it the Record of Processing? • How do you create a data map? • How do you create a record of processing? • How does it relate to the Rights of the Individual?
Who needs it and why? (Article 30 and Recital 82) • Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. • Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. Unless: you are an entity of less than 250 employees, only process data occasionally that poses a low risk to the individual, and do not process any special category or criminal conviction data. “In order to demonstrate compliance with this Regulation, the controller or processor should maintain records of processing activities under its responsibility. 2Each controller and processor should be obliged to cooperate with the supervisory authority and make those records, on request, available to it, so that it might serve for monitoring those processing operations.” – Recital 82
What is it? The Record of Processing Activities is “about the how and the why, the ‘where’ is secondary.” - Oran Kiazim, Senior Data Protection Advisor UK, Bird & Bird
Data Mapping Exercise Whiteboard exercise
Record of Processing • Who is the data subject? • What is the data? • Why do we hold it? • Where do we hold it? • Source? • Special category ? • Special category derogation? • Who do we transfer it to? • What country is it transferred to? • Third country transfer mechanism? • How is it protected? • How long will we keep it? • Lawful basis? • Who has access?
Rights of the Individual and Record of Processing • Right to be informed • Right to Access • Erasure • Erasure if data is not longer needed for the purpose that it was collected for • Rectification • Objection • Portibility • Restriction • Rectification • Object to Automated decision making or profiling • Not to be subjected to automated decision making, inc profiling, producing negative effects • Complain to the DPA
Rights of the Individual and Record of Processing • Right to be informed • Right to Access • Erasure • Erasure if data is not longer needed for the purpose that it was collected for • Rectification • Objection • Portability • Restriction • Rectification • Object to processing for marketing purposes • Object to Automated decision making or profiling • Not to be subjected to automated decision making, inc profiling, producing negative effects • Complain to the Data Protection Authority
Session 5: Accountability: DPIAs, DPAs, Data Transfers Tash Whitaker, Whitaker Solutions Ltd Facilitator: Neven Soric, American International School of Zagreb Panel: • Sandro Pace Bonello, ISL • Sylvia Gillpatrick, CEESA • Mark Dilworth, ZIS
Data Processing Agreements – What, When and Why? “Processing by a processor shall be governed by a contract or other legal act…” (Article 28, GDPR)
DPA must include • the subject matter of the processing; • the duration of the processing; • the nature and purpose of the processing; • the type of personal data involved; • the categories of data subject; • the controller’s obligations and rights.
DPA must state • the processor must only act on the controller’s documented instructions, unless required by law to act without such instructions; • the processor must ensure that people processing the data are subject to a duty of confidence; • the processor must take appropriate measures to ensure the security of processing; • the processor must only engage a sub-processor with the controller’s prior authorisation and under a written contract; • the processor must take appropriate measures to help the controller respond to requests from individuals to exercise their rights; • taking into account the nature of processing and the information available, the processor must assist the controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments; • the processor must delete or return all personal data to the controller (at the controller’s choice) at the end of the contract, and the processor must also delete existing personal data unless the law requires its storage; and • the processor must submit to audits and inspections. The processor must also give the controller whatever information it needs to ensure they are both meeting their Article 28 obligations.
Data Transfers outside the EEA are prohibited, unless… • There is an adequacy agreement • Binding Corporate Rules • EU standard Clauses • Contract Derogation • Explicit consent • Legal claim • Vital interest • Public Register • Public Authority • Compelling one-off vital interest
