2017 02-05 en-eu-data-security_v2

PERSONAL DATA PROTECTION (EU)

Regulation (EU) 2016/679 of April 2016 Publication date: February 06, 2017

ARETE-ZOE, LLC: 1334 E Chandler Blvd 5A-19, 85048 Phoenix, AZ, USA | T:+1-480-409-0778 (24/7) | website: http://www.aretezoe.com/

Overview

• Repeals Directive 95/46/EC

• Passed in April 2016

• To be adopted by May 2018

• Protection of data of natural persons is a fundamental human right

• Free movement of personal data within the EU not restricted

• Includes ‘data concerning health’

• Conditions of consent

• Processing of special categories of personal data severely restricted

• Right to access, rectification and erasure

• Obligations of controllers and processors

• Security of personal data

• Member states shall incorporate specifics in national law


INTENT

Regulation (EU) 2016/679 of April 2016


This Regulation is intended to contribute to the accomplishment of an area of

freedom, security and justice and of an economic union, to economic and

social progress, to the strengthening and the convergence of the economies

within the internal market, and to the well-being of natural persons.

The Treaty on the functioning of the European Union


Right to the protection of personal data

• All natural persons regardless nationality or residence

• Not an absolute right but balanced against other rights

• Substantial increase in cross-border flow of personal data

• Public and private actors & national authorities

• Technological developments

• Globalization

• Disclosures made through social networks

• Differences in data protection hinder business

Coherent data protection & enforcement required for

digital society and economy to thrive


• Definition

• Rights of natural persons that are protected

• Legal persons not affected

• Powers for monitoring and ensuring compliance, incl. sanctions

• Purpose

• Legal certainty and transparency for economic subjects

• Same level of enforceable rights for all natural persons in the EU

• Effective cooperation between supervisory authorities

• Provisions for small business (<250 employees)

• National security, common foreign/security policy matters excluded

Principle of technological neutrality for data processing to cover both automated and manual systems


Exemptions

Purely personal or household activity

• Correspondence

• Holding of addresses

• Social networking

• NOT Controllers of household activities

• NOT Courts and judicial authorities

• EXEMPT

• Anonymous information

• Deceased persons


Applicability

• Controller

• Processor

• Intermediary

• Commercial

• Diplomatic

• Processing of personal data of EU natural persons

• Regardless of whether the processing itself takes place within the EU

• Regardless place of establishment of the controller / processor / intermediary

• Effective and real exercise of activity through stable arrangements.

• Customers’ data (incl. marketing)

• Intention to offer goods or services to data subjects in the EU:

• Accessibility of website in the EU

• Email address/contact details,

• Language and/or currency

• Possibility of ordering goods and services

• Mentioning of customers or users who are in the EU

• Monitoring of EU data subjects on EU territory

• Tracking persons online and their profiling,

• Analysis/prediction of personal preferences, behaviors and attitudes.

• Diplomatic mission or consular posts of Member States


National authorities

• Tax and customs authorities

• Financial investigation units

• Independent administrative authorities

• Financial market authorities (securities markets)

• Requests for disclosure in writing, reasoned and limited

Purpose of data processing

• Compliance

• Public interest

• Exercise of official authority

• Specific situations clearly defined


Health data

• (33) Scientific research

• (34) Genetic data

• (35) Health data

• Data subjects should be allowed to give consent to certain areas of

scientific research or its parts in compliance with ethical standards

• Genetic data should be defined as personal data: analysis of a biological

sample (chromosomal, DNA or RNA analysis)

• Personal data concerning health:

• Health status of a data subject (past, current or future)

• Physical or mental health status

• Information collected for registration or provision of health care services

• Unique identifiers for health purposes

• Information derived from medical and laboratory tests or examinations

Information on disease, disability, disease risk, medical history,

clinical treatment or the physiological or biomedical state


Applicability

• Identifiable live persons

• Declare risks, rules, rights

• Define safeguards

• Legitimate purpose

• Limited time

• Accuracy / Correction

• Security

• Confidentiality

Processing of personal data • Declare: risks, rules, safeguards and rights and how to exercise their rights.

• Purpose: explicit, legitimate and declared, cannot be fulfilled by other means

• Storage: limited to a strict minimum, time limits for erasure / periodic review .

• Corrections: Inaccurate personal data should be rectified or deleted

• Security and confidentiality

• Children: specific protection for marketing or creating profiles

Identified or identifiable natural persons • Including pseudonyms, if attributable

• Direct and indirect identification

• Costs of identification/attribution

• Technological: device identifiers, IP addresses, cookies, RFI tags

• If a person cannot be identified, the controller has no obligation to follow-up

Pseudonymization during processing recommended to reduce risks


Lawful Processing

Lawful | Fair | Transparent Consent

In the context of entering into contract

Compliance with legal obligation

Public interest (public health)

Exercise of official authority (specifics defined in national law)

Essential for the life of the data subject or that of another natural person.

Vital interest of another natural person (if there is no other legal basis).

Humanitarian purposes, epidemics, emergencies, disasters

Legitimate interests of a controller based on relationship with data subject

Group of undertakings: transmitting data for internal administrative purposes

Extent strictly necessary and proportionate

Transparency: concise, accessible, easy to understand


Information

Security

• Availability

• Authenticity

• Integrity

• Confidentiality

• Ensuring network and information security

• Resilience of a network or an information system

• At a given level of confidence

• Resist accidental events and/or unlawful or malicious actions

• Data and information security

• Both stored and transmitted personal data

• Security of the related services offered via those networks

• Legitimate interests: public authorities, CERTs, CSIRTs, by carriers,

providers of security technologies and services

Preventing unauthorized access to networks, malicious code

distribution and stopping ‘denial of service’ attacks and

damage to computers and networks.


Controller

CONTROLLER

• Organization: the main establishment of the

processor should be its central administration

• A group of undertakings should cover a controlling

and controlled undertakings

• Erasure: all controllers who made the data public

• Controllers shall erase any links, copies or

replications of personal data

• Methods: restriction of public access to such data

• NOT: controllers in the exercise of their public duties

• Data subject shall receive data in a structured format

• Portability: right to have personal data transmitted

directly from one controller to another.

DATA SUBJECT

• Right to object to the processing of any personal data

• Direct marketing: the right to opt out, free of charge

• Request, Access, Rectify and Erase data about self

• Right to be informed of profiling and its consequence

• Informed of disclosure to third parties

• Where the controller processes a large quantity of

information about the subject, the request for disclosure

needs to be specific

• Controller should take reasonable measures to identify

the requestor

Controller has to demonstrate that its compelling legitimate

interest overrides the interests or the data subject.


Non-original

Purpose The processing of personal data for purposes other than

those for which they were originally collected should be

allowed only if

• Such processing is compatible with the original purposes

• Data subject has given consent

• Serves important objectives of general public interest

• Transmission of susp. criminal acts or threats to public

security to law enforcement

Legal, professional or other binding obligation

of secrecy applies.


The right to be forgotten

ERASURE

• Right to have own personal data rectified

• Infringement of this regulation

• Personal data no longer necessary for

purposes for which they were processed

• Data subject has withdrawn consent

• Data subject objects

• Processing not in compliance with this Reg.

• Data subject consented as a child

• Controller should ensure erasure of links,

copies or replications

RETENTION

• Freedom of expression and information

• Compliance with a legal obligation

• Task carried out in public interest

• Official authority vested in the controller

• Public interest in the area of public health

• Archiving purposes in the public interest

• Scientific or historical research

• Statistical purposes

• Establishment, exercise, defense of legal claims.


Sensitive data

Profiling

Particularly sensitive personal data and profiling

• Racial or ethnic origin

• Political opinions, religion or philosophical beliefs

• Trade union membership

• Genetic data, health data, sex life

• Criminal convictions or offences and security measures

• Photographs for identification don’t count as racial profiling

• Analysis of personal aspects, performance at work

• Economic situation

• Personal preferences or interests

• Reliability or behavior

• Location or movements

Allowed in employment law, social protection law, health security

Allowed where expressly authorised (fraud, tax-evasion monitoring)

The data subject should have the right not to be subject to a decision based solely

on automated processing and which produces legal effects

(automatic refusal of an online credit application or e-recruiting practices)


Risks to natural

persons Discrimination

Identity theft or fraud

Financial loss

Damage to reputation

Loss of confidentiality of data

protected by professional

secrecy

Reversal of Pseudonymisation

Economic or social

disadvantage

Rights of data subject vs. rights of society

• Data subject’s rights need to be balanced against the rights of the society

• Responsibility and liability of the controller needs to be established

• The risk to the rights and freedoms of natural persons, of varying likelihood

and severity could lead to physical, material or non-material damage:

• Data subjects might be deprived of their rights and freedoms or prevented

from exercising control over their personal data;

High risk:

• Vulnerable persons (children)

• Large amount of personal data

• Large number of data subjects

Risk assessment

• The likelihood and severity of the risk to the data subject should be determined

by reference to the nature, scope, context and purposes of processing

• Establish whether risks involved in data processing operations


Data

Security

Measures

Appropriate technical and organizational measures

• Risk assessment relating to the scope, nature and purpose of processed data

• Clear allocation of the responsibilities

• Representative if controller/processor is not established in the Union

• Development, design, selection and use of applications, services and products

• Create and improve security features

• Expert knowledge, reliability and resources

• Encryption

• Approved code of conduct

• Certification mechanism

• Records of processing activities for audit purposes

Balance costs against risks of data destruction, loss, alteration, or disclosure

Data protection impact assessment for high risk data

Scope Nature

Scale Purpose


Data Breaches

• Reportable within 72 hrs

• Impact assessment

Report data breaches to supervisory authority within 72 hours

• Controller should communicate high risk data breaches to the subject

• Nature of the personal data breach

• Recommendations to mitigate potential adverse effects.

• Intervention of the supervisory authority

Appropriateness of technical protection

Likelihood of identity fraud or other forms of misuse

Impact assessment of large-scale data processing operations

• Obligation of controllers/processors

• Consultation of the supervisory authority and/or experts required

• Special categories of personal data

• Data relating to criminal convictions and offences

• Codes of conduct and certification systems


International

data flow

Flows of personal data to and

from countries outside the

Union is necessary for trade

• Level of protection of natural persons should not be undermined

• Appropriate safeguards for the data subjects

• International agreements for the transfer of personal data to third countries

European Commission

• May decide which countries offer an adequate level of data protection

• May revoke such a decision

• Monitors the functioning of decisions

• May recognize that a third country no longer ensures adequate level of protection.

Controller/Processor

• Measures to compensate for the lack of data protection

• Binding corporate rules, standard data protection clauses or contractual clauses

• Provisions for occasional consensual data transfers

• Derogations for data transfers for important reasons of public interest

• Scientific or historical research purposes or statistical purposes

• International laws requiring transfer or disclose personal data


Supervisory

authorities

National Supervisory Authorities

• Competent on the territory of its own Member State

• Contribute to consistent application of the law throughout the Union

• Powers exercised impartially, fairly and within a reasonable time

• Act in accordance with procedural law

• Power to impose a limitation, including a ban, on data processing.

• Measure should be appropriate, necessary and proportionate and in writing

• Urgent need to act: provisional measures valid up to 3 months.

Joint operations

• If more than one are involved, one should function as a single contact point

• One-stop-shop mechanism

Constraints

• Unable to conduct investigations outside their borders

• Insufficient preventative or remedial powers

• Inconsistent legal regimes and resource constraints


Handling Complaints

• Data subjects should have the right to lodge a complaint with a single Supervisory Authority

• Organization that could lodge complaints independently from data subjects’ mandate

• Annulment of decisions: Board before the Court of Justice (Article 263 TFEU).

• Legally binding decisions of Supervisory Authorities shall be subject to judicial review

• Courts ensure consistency of application of the Regulation

• Controller/processor liable for damage caused by infringement of this Regulation

• The controller/processor exempt from liability if it proves that it is not in responsible for damage

• Data subjects entitled to compensation for damage


Enforcement

Controllers/processors involved in data processing all liable for the entire damage.

Where joined to the same proceedings, compensation shall be apportioned.

Penalties for infringement: administrative fines or reprimand

Nature, gravity and duration of the infringement

Intent, actions taken to mitigate the damage, degree of responsibility

Relevant previous infringements

Compliance with measures

Adherence to a code of conduct

Other aggravating or mitigating factor.

• Imposition of penalties subject to procedural safeguards

• Criminal penalties may apply (Denmark)

• Criteria for infringements and upper limit for fines

• Consistent application

System which provides for effective, proportionate and

dissuasive penalties


Balance other rights

• Freedom of expression, information, journalism, art and literary expression

Employment context

• Collective agreements, including ‘works agreements’

Public interest

• Archiving, scientific or historical research, statistical purposes

• Reuse of official documents

Safeguards

• Assess feasibility of processing data w/o identification - pseudonymization.

• For the processing of personal data for special situations

• For data subjects: rights to rectification, to erasure, to be forgotten, to restriction

of processing, to data portability, and to object

• Procedures and technical and organizational measures

• Proportionality and necessity principles

• Other relevant legislation (clinical trials).

Coupling information from registries: i.e. medical research, social science,

subject to conditions set out in specific EU or national law (clinical trials)


Freedom of

expression

Reuse of public

information

Public Interest

• Archiving

• Scientific Research

• Historical Research

• Statistical Purposes

Archiving

• Legal obligation to acquire, preserve, appraise, arrange, describe, communicate, promote,

disseminate and provide access to records of enduring value for public interest.

• Processing of personal data for archiving purposes: political behavior under totalitarian

regimes, genocide, crimes against humanity, Holocaust, or war crimes.

Scientific research

• Technological development and demonstration, fundamental research, applied research

and privately funded research

• Union's objective under Article 179(1) TFEU of achieving a European Research Area.

• Studies conducted in the public interest in the area of public health.

• Specific conditions apply for publication/disclosure of personal data in scientific context

• Consent to the participation in scientific research: Regulation (EU) No 536/2014

Historical research

• Applicability includes historical research and genealogy

Statistical purposes

• National law determines content, access controls, specifications, and safeguards

• Result of processing for statistical purposes is aggregate data, not personal


Supervision

Supervisory authorities

• Access to personal data on controller’s premises

subject to national law

• Specific rules for professional secrecy obligations

• Specific rules for churches and religious associations

• Movement of data: Article 290 TFEU delegated to EC

• Criteria and requirements for certification

• Information to be presented by standardized icons

• Uniform conditions for the implementation

• Specific measures for small business

Procedure

• Standard contractual clauses

• Codes of conduct

• Technical standards and mechanisms for certification

• Decisions on adequacy of protection in third country

• Standard protection clauses

• Formats and procedures for information exchanges

• Mutual assistance

• Arrangements for information exchange between

supervisory authorities

• Implementing acts regarding third countries and

international organizations


GENERAL PROVISIONS

Objectives | Scope | Exemptions | Territory | Definitions


Objectives

• Protection of personal data of natural persons

• Free movement of data within the EU not restricted

Scope

• Processing of personal data by automated means

• Processing other than by automated means which form part of a filing system

Exemptions

• Activity outside the scope of Union law

• Member States carrying out activities under Chapter 2 of Title V of the TEU

• Purely personal or household activity

• Competent authorities for prevention and investigation of crimes and public threats

• EU agencies: Regulation (EC) No 45/2001 (Art 98)

• Liability rules of intermediary service providers: Directive 2000/31/EC (Art 12 - 15)

Territory

• Processing of personal data by controllers/processors established in the EU

• Data subjects who are in the EU: trade and marketing, monitoring and tracking

ARETE-ZOE, LLC: 1334 E Chandler Blvd 5A-19, 85048 Phoenix, AZ, USA

T:+1-480-409-0778 (24/7) | website: http://www.aretezoe.com/

‘personal data’ means any information relating to an identified or identifiable

natural person (‘data subject’) person is one who can be identified, directly or

indirectly, in particular by reference to an identifier such as a name, an

identification number, location data, an online identifier or to one or more factors

specific to the physical, physiological, genetic, mental, economic, cultural or

social identity of that natural person

‘personal data breach’ means a breach of security leading to the accidental or

unlawful destruction, loss, alteration, unauthorized disclosure of, or access to,

personal data transmitted, stored or otherwise processed

‘data concerning health’ means personal data related to the physical or mental

health of a natural person, including the provision of health care services, which

reveal information about his or her health status

‘personal data’ - ‘processing’ - ‘restriction of processing’ - ‘profiling’ -

‘pseudonymisation’ - ‘filing system’ - ‘controller’ - ‘processor’ - ‘third party’ -

‘consent’ - ‘personal data breach’ - ‘genetic data’ - ‘biometric data’ - ‘data

concerning health’ - ) ‘main establishment’ - ‘representative’ - ‘enterprise’ - ‘group

of undertakings’ - ‘binding corporate rules’ - ‘supervisory authority’ - ‘supervisory

authority concerned’ - ‘cross-border processing’ - ‘relevant and reasoned

objection’ - ‘information society service’ - ‘international organization’

DEFINITIONS



PRINCIPLES

Lawful-Fair-Transparent | Consent | Special categories


LAWFULNESS | FAIRNESS | TRANSPARENCY

Personal data shall be processed lawfully, fairly

and in a transparent manner

• Purpose limitation: collected for specified, explicit and legitimate purposes

• Public interests: archiving, scientific or historical research, or statistical purpose

• Data minimization: adequate, relevant and limited

• Accuracy: accurate, up to date; erased or rectified without delay

• Identifiable data subjects – adequate form

• Storage limitation: No longer than necessary

• Appropriate security of the personal data

• Integrity and confidentiality: Protection against unauthorized or unlawful

processing, loss, destruction or damage

• Accountability: controller shall be able to demonstrate compliance



LAWFULNESS | FAIRNESS | TRANSPARENCY

Personal data shall be processed lawfully, fairly

and in a transparent manner

• Data subject consented to data processing for a specific purpose

• Controller/processor has a contract to which the data subject is party

• Compliance with Controller’s legal obligation

• Protect ion of vital interests of the data subject or of another natural person

• Public interest or official authority vested in the controller

• Legitimate interests pursued by the controller or by a third party

• Requirements for specific processing situations (Chapter IX)

• Legal basis for purpose of processing specified in other EU or national law

• Further processing: based on data subject's consent, legal requirement, or for

purpose compatible with the original purpose, special type data and safeguards



Consent Clear | Affirmative | Freely given | Specific | Informed | Unambiguous

GO

• Written statement, including electronic, oral

• Intelligible, easily accessible, in a clear and

plain language w/o unfair terms.

• Ticking a box, choosing technical settings

• Processing for multiple purposes requires

multiple consents

• Documented by controller for audit purposes

• Informed: identity of the controller, purpose(s)

• Freely given: genuine choice

• Able to refuse/withdraw w/o detriment.

• Contract only if necessary for performance of

such contract

NO-GO

• Silence rather than consent

• Pre-ticked boxes or inactivity

• Clear imbalance (public authority)

• No separate consents to different operations

CHILD’s CONSENT

• Minimum age 16 years, otherwise parents

• Member States may lower age to 13


PROHIBITED CATEGORIES

• Racial or ethnic origin

• Political opinions

• Religious or philosophical beliefs

• Trade union membership

• Genetic data

• Biometric data

• Data concerning health

• Sex life or sexual orientation

EXCEPTIONS

• Data subject has given explicit consent

• Obligations in employment, social security/protection

• Protection of vital interests where the data subject is physically or legally incapable of giving consent

• Legitimate activities by NGOs with related aim

• Personal data manifestly made public by the data subject

• Establishment, exercise or defense of legal claims

• Substantial public interest

• Law proportionate to the aim pursued

• Preventive or occupational medicine

• Work assessments, medical diagnosis and care

• Management of health or social care systems

• Contract with a health professional

• Public health, serious cross-border threats to health

• Archiving, scientific or historical research, statistics

• Safeguards may include obligation of secrecy

Registries of criminal convictions and offences or security

measures shall be processed by an official authority

Controller shall not be obliged to process additional

information in order to identify the data subject


RIGHTS OF DATA SUBJECT

Transparency | Modalities | Rectification | Erasure

Objection | Portability | Profiling | Restrictions


Transparency and modalities

Controller provides information relating to processing to data subject

• in writing, in accessible form, within 1 month, free of charge

• shall not refuse to act on the request

• except: when controller cannot identify the data subject

• by electronic means where possible

• Requests manifestly unfounded or excessive: charge a fee or refuse to act

• If in doubt, the controller may request confirmation of identity

• Information provided: easily meaningful overview of intended processing

• EC shall adopt delegated acts to determine standardized icons and procedures

Lodge

complaint with a

supervisory

authority

Judicial

remedy

Request to

controller

ARETE-ZOE, LLC: 1334 E Chandler Blvd 5A-19, 85048 Phoenix, AZ, USA | T:+1-480-409-0778

(24/7) | website: http://www.aretezoe.com/

Information and access to own personal data

Data collected from the data subject

• Controller’s identity and contact

• Purposes and legal basis for processing

• Third party recipients

• Transfer to a third country

• Safeguards

• Storage period

• Rights: to access, rectification, erasure, restriction, portability

• Right to withdraw consent

• Right to lodge a complaint with a supervisory authority

• Condition of contract/statutory requirement

• Consequences of failure to provide such data

• Automated decision-making, including profiling

• Logic, significance and consequences of processing

• Further processing for other purposes

Data obtained from elsewhere

• Ditto and more:

• Categories of personal data concerned

• Means to obtain a copy

• Where the processing is based

• Where did the data originate, public sources?

• Disclosure to another recipient

Duty to inform data subject shall not apply

• - the data subject already has the information;

• - disproportionate effort (archiving, research)


Right to obtain erasure of personal data where one of the following grounds applies:

• - personal data are no longer necessary in relation to purpose of processing

• - data subject withdraws consent, no other legal ground for processing

• - data subject objects to processing, no overriding legitimate grounds

• - personal data have been unlawfully processed

• - compliance with a legal obligation

• - personal data have been collected online

Controller IS obliged to erase the data

- erase any links, copies or replications

Controller NOT obliged to erase the data

- freedom of expression and information

- compliance with a legal obligation

- public interest in the area of public health

- archiving, scientific or historical research, statistical purposes

- establishment, exercise or defense of legal claims.

Rectification and erasure



Restriction on processing

• Accuracy contested by the data subject

• Processing is unlawful, data subject opposes erasure, requests restriction

• Controller no longer needs the data, data subject does for legal reasons

• Pending verification re legitimate grounds vs data subject’s rights

• IF Restricted: data subject's consent required for processing

• Notification obligation: lifting restriction, rectification, erasure

Right to data portability

• Right to receive data in a structured machine-readable format

• Right to transmit those data to another controller

• Does not apply to processing in public interest or official authority



Right to object

• Right to object, on grounds relating to situation, at any time

• Right to object includes profiling

• Data subject’s rights vs. compelling legitimate grounds for the processing

• Direct marketing purposes – opt out

• Right to object presented clearly and separately from any other information

Scientific or historical research purposes or statistical purposes

• Right to object exists unless the processing purpose is public interest

Automated individual decision-making, including profiling

• Right not to be subject to an automated decision which produces legal effects

• EXCEPT: contract relationship, authorised by law, explicit consent

• Right to obtain human intervention and to contest the decision



Union or Member State law

may restrict obligations and rights when necessary and proportionate to safeguard:

• National security

• Defense

• Public security

• Prevention, investigation, detection or prosecution of crimes

• Prevention of threats to public security

• Important objectives of general public interest

• Important economic or financial interest of the Union or of a Member State

• Public health and social security

• Protection of judicial independence and judicial proceedings

• Breaches of ethics for regulated professions

• Monitoring, inspection or regulatory function connected to exercise of official authority

Any legislative measure shall contain specific provisions that

balance these rights



CONTROLLER AND PROCESSOR

Responsibilities | Security | Data breaches | DPO

Impact assessment | Code of Conduct | Certification


Responsibility of the controller

• Appropriate technical and organizational measures to ensure compliance

• Appropriate data protection policies by the controller.

• Adherence to approved codes of conduct

• Safeguards: pseudonymization, data-protection principles, data minimization

• Procedural controls

• Certification mechanism

Joint controllers

• Two or more controllers jointly determine the purposes and means of processing

• Determine their respective responsibilities

• Designate a contact point for data subjects

• Arrangement shall be made available to the data subject.

Representative

• Controllers or processors not established in the Union shall have a representative



Processor

• Processing on behalf of a controller

• Appropriate technical and organizational measures to ensure compliance

• Written authorization and contract with controller

• Documented instructions and legal grounds

• Confidentiality obligation

• Assist the controller via technical, organizational and other means to ensure compliance

• Upon completion of processing either deletes or returns data to controller

• Maintains audit trail, documented inspections and audits

• Informs controller about any infringements

• Subcontracting – same rules apply to all processors

• Adherence to code of conduct, contracts and certifications

• EC and Supervisory authorities may adopt standard contractual clauses

• In case of infringement the processor shall be considered a controller

• The processor shall not process data except on instructions

• Controllers and processors maintain detailed records of processing activities

• The controller and the processor shall cooperate with supervisory authorities



Security of personal data Security of processing

• - state of the art and costs of implementation

• - nature, scope, context and purposes of processing

• - likelihood and severity of risks to natural persons

Technical and organizational measures to ensure appropriate security

• - pseudonymization and encryption of data

• - confidentiality, integrity, availability and resilience of processing systems and services

• - ability to restore availability and access to data after an incident

• - testing, assessing and evaluating the effectiveness of measures

Security assessments

• Consider risks from unlawful destruction, loss, alteration, unauthorized disclosure or access

• Code of conduct, certification mechanism as means to demonstrate compliance

• Access to data does limited to processing purpose



Data breaches

Breach notification to SA

• Notification of a personal data breach to the supervisory authority

• Controller to SA within 72 hours after having become aware of a breach

• Processor shall notify controller

• Content: nature and extent of the breach, contact point, likely consequences and measures

• Documentation: remedial actions taken

Breach notification to the data subjects

• High risk breaches shall be communicated to data subjects

• Nature of the breach and measures taken

• Not required if:

• - the data was encrypted,

• - high risk no longer likely due to measures implemented

• - disproportionate effort, public communication sufficient

• Supervisory authority may require the controller to communicate the breach



Data protection impact assessment High risk: new technologies, nature, scope, context and purposes

Impact assessment required:

• - a systematic evaluation of personal aspects via automated processing/ profiling

• - largescale processing of special categories of data

• - a systematic monitoring of a publicly accessible area on a large scale

• Supervisory authority shall establish a list of activities where impact assessment is required

Impact assessment shall contain:

• - description of processing operations and purposes

• - assessment of the necessity, proportionality and risks to data subjects

• - measures to address the risks (safeguards, security measures)

• - codes of conduct

• - controller shall seek the views of data subjects or their representatives

• - periodic reviews to assess compliance with impact assessment and reassessment

• - High risk data processing: controller shall consult SA

• - Member States may require authorization for certain tasks performed in public interest



Data Protection Officer

Data protection officer

• The controller/processor shall designate a data protection officer where relevant

• A DPO may be designated for several public authorities

• DPO may act for associations representing controllers or processors

• DPO should be an expert on data protection law and practices

• DPOs contact must be public

• DPO must be involved in all data protection issues

• DPO shall be bound by secrecy or confidentiality

DPO tasks

• Advise controller/processor on requirements of the regulation and monitor compliance

• Be involved in audits and impact assessments

• Cooperate with SA and act as contact point



Code of Conduct, Certification

Code of Conduct

• Member States, Supervisory Authorities, the Board and the Commission encourage

• Associations representing controllers/processors prepare Codes of Conduct

• Include out-of-court proceedings and dispute resolution

• The Board shall collate all approved Codes of Conduct and make them public

• Accredited monitor of compliance

Certification

• Member States, Supervisory Authorities, the Board and the Commission encourage

• Approved data protection certification mechanisms, seals or marks

• Enforceable commitments, contractual or other

• Certification shall be voluntary, available via transparent process

• Certification bodies shall be accredited on the basis of criteria approved by SA

• The Commission may adopt implementing acts on technical standards for certification



TRANSFERS TO THIRD COUNTRIES

General principles | Derogations

International cooperation


General principles for transfers

• Level of protection of natural persons guaranteed by this Regulation is not

undermined

Transfers on the basis of an adequacy decision

• Favorable Adequacy decision by the Commission – no special authorization

required

Transfers subject to appropriate safeguards

• Adequacy decision not available: providing appropriate safeguards, enforceable

rights and effective legal remedies for data subjects are available.

Subject to the authorization from the competent supervisory authority

• Contractual clauses

• Provisions in administrative arrangements

Authorizations based on Directive 95/46/EC remain valid until amended/replaced

Binding corporate rules, subject to approval by supervisory authority

Transfers or disclosures not authorized by Union law

Transfers to third countries and international

organizations


Derogations for specific situations

• Explicit consent of data subject

• Transfer is necessary for the performance of a contract

• Important reasons of public interest (public interest recognized in Union law)

• Establishment, exercise or defense of legal claims

• Vital interests of the data subject/other persons, data subject incapable of giving consent

• Public register

• Binding corporate rules

International cooperation for the protection of personal data

• The Commission and supervisory authorities shall take appropriate steps to

• - develop international cooperation mechanisms to facilitate the effective enforcement

• - provide international mutual assistance in enforcement

• - engage relevant stakeholders at furthering international cooperation enforcement

• - promote the exchange and documentation of legislation and practice

Transfers to third countries and international

organizations


SUPERVISORY AUTHORITIES

General conditions | Competence | Tasks | Powers


Independent supervisory authorities

Each Member State shall

• have at least one supervisory authority

• notify to the Commission by 25 May 2018 on its provisions

• provide their SAs with resources, premises and infrastructure

General conditions for the members of SAs

• Appointed by means of a transparent procedure

• Have the qualifications, experience and skills, required to exercise its powers

• The duties of a member shall end upon leaving office

• A member shall be dismissed only in cases of serious misconduct

Rules on the establishment of the supervisory authority

• Each Member State shall provide by law for establishment of SAs, qualifications and

eligibility, ruled for appointing its members, term duration, conditions and prohibitions

• SA staff shall be subject be subject to a duty of professional secrecy


Competence, tasks and powers

Competence

• Each SA shall be competent for the performance of the tasks assigned

• SAs shall not supervise processing operations of courts reviewing them

• Competence of the lead supervisory authority

Tasks

• SA shall on its territory monitor and enforce the application of this Regulation

• Promote public awareness on data processing

• Advise the national institutions and bodies

• Promote awareness of controllers and processors of their obligations

• Provide information to data subjects

• Handle complaints

• Cooperate with other supervisory authorities

• Conduct investigations, monitor relevant developments and practices

• Adopt standard contractual clauses, maintain list of impact assessments

• Any other tasks related to the protection of personal data.


Competence, tasks and powers

Powers

• Request information from controller and processor relevant to its tasks

• Carry out investigations, audits and review on certifications

• Access to any premises

• Issue warnings, reprimands and orders to comply

• Impose limitation or ban on processing

• Order rectification or erasure of personal data or restriction of processing

• Withdraw certification, impose administrative fine

• Order suspension of data flows to third country or to an international organization

• Issue opinions to national institutions

• Authorize processing

• Approve draft codes of conduct

• Accredit certification bodies, issue certifications and approve criteria of certification

• Adopt standard data protection clauses, and administrative arrangements

• Approve binding corporate rules

• Bring infringements of this Regulation to the attention of the judicial authorities

• Write annual report on its activities


COOPERATION & CONSISTENCY

Supervisory Authorities | The Board | EDPS


https://secure.edps.europa.eu/EDPSWEB/edps/cache/offonce/EDPS/Membersmission

Cooperation

• Cooperation between the lead supervisory authority and the other SAs

• Lead SA shall cooperate with other SAs to reach consensus

• Exchange all relevant information with each other

• Request mutual assistance in investigations

• Adopt decision and notify the controller/processor

Mutual assistance

• Relevant information and mutual assistance to each other

• Requests for assistance formalized and reasoned, information in a standardized format

• The Commission may specify the format and procedures for mutual assistance

Joint operations

• Joint investigations and joint enforcement measures

• Controller or processor has establishments in several Member States

• Significant number of data subjects in more than one Member State affected

• SA may confer powers on the seconding SA's members or staff

• Provisional measures on the territory, urgent binding decision


Supervisory authorities and the Commission apply this Regulation

consistently throughout the Union

Opinion of the Board

• Where a competent SA intends to adopt any of these measures

• List of the processing operations for impact assessments

• Code of conduct, criteria for accreditation

• Standard data protection clauses, contractual clauses, binding corporate rules

• Procedure for requests of Board opinion in other matters

• Dispute resolution by the Board in specific situations

Urgency procedure

• Exceptional circumstances

• Supervisory authority sees an urgent need to act

• Immediately adopt provisional measures on its own territory for up to 3 months

• Measures and reasons communicated to other SAs, the Board and to the Commission

• SA may request an urgent opinion or an urgent binding decision from the Board

Exchange of information

• The Commission may adopt implementing acts for the exchange of information


Supervisory authorities and the Commission apply this Regulation

consistently throughout the Union

European Data Protection Board (the Board)

• Established as a body of the Union

• Represented by its Chair: Giovanni Buttarelli and Wojciech Wiewiórowski

• Member States’ SA heads and of the European Data Protection Supervisor

• More than 1 SA in a Member State – appoint joint representative

• The Commission can participate in Board activities and meetings without voting right

• EDPS shall have voting rights only on decisions which concern principles and rules

The Board ensures the consistent application of this Regulation

• - monitors and ensures correct application of this Regulation by SAs

• - advises the Commission

• - issues guidelines, recommendations, and best practices and reviews their application

• - carries out accreditation of certification bodies

• - promotes cooperation, common training programs and facilitate personnel exchanges

• - maintains publicly accessible electronic registry of decisions by SAs and Courts

• - consults interested parties and gives them the opportunity to comment


European Data Protection Board

Reports

• The Board shall draw up an annual report

• Review of the practical application of the guidelines and best practices

Procedure

• The Board decides by a simple majority and adopts its own rules of procedure

Chair

• The Board shall elect a chair and two deputy chairs, 5-year term, renewable once

Tasks of the Chair

• Convenes Board meetings, notifies decisions, ensures performance of the Board

Secretariat

• The Board shall have a secretariat provided by the EDPS

• The secretariat performs its tasks under the instructions of the Chair of the Board

• EDPS staff is subject to separate reporting lines

• The secretariat provides analytical, administrative and logistical support to the Board

Confidentiality

• The discussions of the Board shall be confidential where necessary

• Access to documents submitted the Board shall be governed by Reg. (EC) 1049/2001


REMEDIES, LIABILITY, PENALTIES

Complaints | Judicial remedies | Representation | Fines


Right to lodge a complaint

• Every data subject shall have the right to lodge a complaint with a supervisory authority

• The supervisory authority shall inform the complainant on progress and outcome

Right to an effective judicial remedy against a supervisory authority

• Each natural or legal person shall have the right to an effective judicial remedy

• Proceedings against a SA shall be brought before the courts of the Member State

Right to an effective judicial remedy against a controller/processor

• Each data subject shall have the right to an effective judicial remedy

• Proceedings against a controller/processor shall be brought before the courts

Representation of data subjects

• Data subjects shall have the right to mandate an NGO to lodge complaint on their behalf

• Such NGO may also act independently of a data subject's mandate

• Suspension of proceedings if the same subject matter is pending decision elsewhere


Right to compensation and liability

• Any person who has suffered damage shall have the right to receive compensation

• Any controller involved in processing shall be liable for the damage

• A controller/processor shall be exempt if it proves that it is not responsible for the damage

• More than one controller/processor are involved, all shall be liable

General conditions for imposing administrative fines

• Each SA shall be effective, proportionate and dissuasive

• Administrative fines shall respect the nature, gravity and duration of the infringement,

damage suffered, intent/negligence, mitigation efforts, degree of responsibility, degree of

cooperation with SA, previous measures, adherence to code of conduct, other

• Infringements of specific provisions: fines up to 10 000 000 EUR (or 2 % turnover)

• Infringements of specific provisions: fines up to 20 000 000 EUR (4%)

• Non-compliance with an order: fines up to 20 000 000 EUR (4 %)

• Procedural safeguards include effective judicial remedy and due process

• Legal remedies are effective shall be effective, proportionate and dissuasive

Penalties

• Member States shall lay down the rules on other applicable penalties


SPECIFIC PROCESSING SITUATIONS

Balancing rights | Public interest | Official documents

Obligation of Secrecy | Churches


Processing and freedom of expression and information

• Journalistic, academic, artistic, literary purposes: exemptions or derogations

• Each Member State shall notify the Commission of its laws

Processing and public access to official documents

• Personal data in official documents may be disclosed in accordance with law

Processing of the national identification number

• Specific conditions for processing of a national identification number or other identifier

right to the

protection of

personal data

right to freedom of expression and

information, journalistic, academic,

artistic or literary expression


Processing in the context of employment

• Specific rules for processing of employees' personal data

• Human dignity, legitimate interests and fundamental rights

Archiving, research & statistics

• Safeguards and derogations for archiving, scientific or historical research, statistics

• Principle of data minimization

• Pseudonymization

• Derogations necessary for the fulfilment of specific purposes

Obligations of secrecy

• Specific rules to obligation of secrecy for controllers/processors

Existing data protection rules of churches and religious associations

• Comprehensive rules relating to the protection of natural persons

• Churches and religious associations shall be subject to the supervision of a specific

independent supervisory authority


DELEGATED & IMPLEMENTING ACTS

Delegated Acts | Final provisions | Related EU law


Delegated acts and implementing acts

• The Commission shall adopt delegated acts

• A delegated act shall enter into force only if no objection has been expressed by either the

European Parliament or the Council within three months

Committee procedure

• The Commission shall be assisted by a committee

• Article 5 and 8 of Regulation (EU) No 182/2011 apply

Final provisions

• Directive 95/46/EC is repealed with effect from 25 May 2018.

• This Regulation shall not impose additional obligations on natural or legal persons in

relation to processing of information from social networks set out in Directive 2002/58/EC.

Relationship with previously concluded Agreements

• International agreements concluded prior to 24 May 2016 remain in force until replaced

• By 25 May 2020 the Commission shall submit a report on the evaluation and review of

this Regulation to the European Parliament and to the Council and make it public

• The Commission shall submit proposals to amend union laws to ensure consistency


Related EU law

• Personal data processing by EU institutions

• Governed by Regulation (EC) No 45/2001

• Processing of personal data by the Union institutions , bodies and agencies.

• Movement of data within the EU

• Movement of data within the EU: Article 290 TFEU delegated to the Commission.

• Personal data processing by National authorities

• Governed by Directive (EU) 2016/680

• Prevention, investigation, detection, prosecution of crimes; security threats

• Specific provisions for.anti-money laundering and forensic laboratories

• Personal data processing by Intermediary service providers

• Directive 2000/31/EC liability rules (Articles 12 to 15)

• Free movement of information society services between Member States.

• Consent to personal data processing:

• Council Directive 93/13/EEC: a declaration of consent must be intelligible, easily accessible, in a clear and plain language w/o unfair terms.

• Confidential information collected for statistical purposes

• European statistics - Article 338(2) TFEU and national law (national statistics)

• Regulation (EC) No 223/2009: statistical confidentiality for European statistics.

• Reuse of public sector information

• Directive 2003/98/EC on reuse of public sector information

Regulation (EC) No 45/2001

Directive (EU) 2016/680

Directive 2000/31/EC

Article 338(2) TFEU

Regulation (EC) No 223/2009

Directive 2003/98/EC


ARETE-ZOE, as a consultancy, provides solutions to complex problems in the high stakes and high consequence environment of Global Pharmaceuticals, including clinical research, healthcare informatics, and public health. We blend established, Pharma sector methodologies, innovation, and adaptations/transfers from other sectors to identify and resolve consequential practices that pose risk and often result in avoidable patient casualty. However, we are specifically, not a patient advocacy group but believe in optimizing organizational effectiveness and that smart business is agile, competitive and profitable, while intrinsically safe, secure, and resilient. We work within a global context because transnational interests influence national circumstances and choices at point of prescription.

ARETE-ZOE, provides full spectrum organizational and operational risk management consultancy. Our published materials provide a glimpse of some aspects of our services to demonstrate both knowledge and ongoing participation within the Pharmaceutical Industry. Our analysis and consultancy includes all channels of misuse, diversion, counterfeiting and illicit exploitation of pharmaceuticals, medical devices, and precursor chemicals. Our advisement is to manufactures, jurisdictional entities, insurers, legislators, litigators, patients, and health care providers.

This scope also frequently segues into the nexus of crime and terrorism as significant influencers that undermine sector integrity differentiated from other criminal activity. Obviously, vulnerability assessment, information collection management and intelligence production supporting decision-making for risk reduction and interventions are routinely within the scope of our services as well as design and implementation of operational control measures.


2017 02-05 en-eu-data-security_v2

Healthcare