Q(WIP): This is the BLIP LTL GDPR learning tool.
It is a work-in-progress, so not all answer fields will be populated, and there may be some broken fields.
A: I understand.
Q: Great. Thanks for giving it a spin! If you find any errors or broken parts, please send us a note. Thanks!
This was last updated on May 12, 2018.
A: What's BLIP?
Q(BLIP_IS): BLIP is the Brooklyn Law Incubator and Policy Clinic at Brooklyn Law School.
It's basically a full-service law firm for bootstrap entrepreneurs and startups. BLIP folks built this tool! :). You can read more about BLIP here.
A: Got it. What's LTL?
Q: LTL is the Legal Technology Laboratory.
A: What's that?
Q: Well, it started as an outgrowth of several key events at the intersections of legal technology, access to justice, lawyering and justice, and entrepreneurship.
A: Cool.
Q: We think to so too. That's why LTL continues to evolve as both the size of the LTL community and the opportunities created by their connections to other network innovators expands. You can read more about it here.
A: And what's GDPR?
Q: That's why you're here!GOTO:HOLDING_PATTERN
A: What's LTL?
Q: LTL is the Legal Technology Laboratory.
A: What's that?
Q: Well, it started as an outgrowth of several key events at the intersections of legal technology, access to justice, lawyering and justice, and entrepreneurship.
A: Cool.
Q: We think to so too. That's why LTL continues to evolve as both the size of the LTL community and the opportunities created by their connections to other network innovators expands. You can read more about it here.
A: And what's this GDPR?
Q: It's why you came here!GOTO:HOLDING_PATTERN
A: What's the GDPR?
Q: Just you wait...
A: Hold on! I want to know what LTL is!
Q: LTL is the Legal Technology Laboratory.
A: What's that?
Q: Well, it started as an outgrowth of several key events at the intersections of legal technology, access to justice, lawyering and justice, and entrepreneurship.
A: Cool.
Q: We think to so too. That's why LTL continues to evolve as both the size of the LTL community and the opportunities created by their connections to other network innovators expands. You can read more about it here.
A: Wait. I never asked what BLIP IS!
Q: Relax. BLIP is the Brooklyn Law Incubator and Policy Clinic at Brooklyn Law School.
It's basically a full-service law firm for bootstrap entrepreneurs and startups. BLIP folks built this tool! :). You can read more about BLIP here.
A: Okay. I think I'm ready to start!
Q:GOTO:HOLDING_PATTERN
A: Wait! What's BLIP?
Q: BLIP is the Brooklyn Law Incubator and Policy Clinic at Brooklyn Law School.
It's basically a full-service law firm for bootstrap entrepreneurs and startups. BLIP folks built this tool! :). You can read more about BLIP here.
A: And what's LTL?
Q: LTL is the Legal Technology Laboratory.
A: What's that?
Q: Well, it started as an outgrowth of several key events at the intersections of legal technology, access to justice, lawyering and justice, and entrepreneurship.
A: Cool.
Q: We think to so too. That's why LTL continues to evolve as both the size of the LTL community and the opportunities created by their connections to other network innovators expands. You can read more about it here.
A: Got it. What now?
Q:GOTO:HOLDING_PATTERN
A: I don't have any questions at this time.
Q:GOTO:START
Q(HOLDING_PATTERN):GOTO:START
Q(START): Welcome to the BLIP LTL GDPR Learning Tool.
We're going to ask you several questions to help identify potential risk areas for you to speak about with your attorney.
A: Got it.
Q:GOTO:DISCLAIMER
Q(DISCLAIMER): We're about to get to the good part.
But, before we do, we need to go over a few things with you.
A: Okay, I'm ready.
Q: First of all, none of the information we discuss here is legal advice, and you should not construe it as legal advice.
A: Okay. I understand that this is not legal advice.
Q: Terrific. In addition, we are not entering into an agreement to represent you, and nothing in this tool should be understood as an offer to enter into an attorney/client relationship with you.
A: Okay. I also understand that we are not entering into an attorney/client relationship.
Q: This tool is meant to help you learn a bit about the GDPR and identify some areas about which you should speak with an attorney.
A: I think it's great that this is only a learning tool.
Q: And, finally, if you have any legal questions, you should speak with an attorney.
A: Of course I'll speak with an attorney if I have any legal questions.
Q: Terrific. Let's get started.GOTO:ready
Q(ready): Do you have any questions for us before we get into it?
A: Yes.
Q(MAIN_QUESTIONS): What sort of questions do you have?
A: I have questions about this tool.
Q(TOOL_QUESTIONS): What would you like to know?
A: What happens to do my answers? Do you keep them?
Q:No, we do not store any of your data.
At the end of our series of questions, you'll have some options to view or save a note we've drafted for you to share with your attorney as a launchpad to discuss GDPR issues.
A: Got it. I have more questions about this tool.
Q:GOTO:TOOL_QUESTIONS
A: Okay. I have questions about the GDPR.
Q:GOTO:GDPR_QUESTIONS
A: I don't think I have any more questions at this time.
Q:GOTO:SLEEPER_CELL
A: What sort of questions will you be asking?
Q: We'll be asking you some questions about you and your business, such as your name, the name of your attorney (if you have one), and the name of your business.
These questions are optional and are just to format the talking points we'll have for you at the end of the process.
You can just use pseudonyms for that part. :)
A: I understand, and I have some more questions about the tool.
Q:GOTO:TOOL_QUESTIONS
A: Got it. I have some questions about the GDPR.
Q:GOTO:GDPR_QUESTIONS
A: Thanks. I don't have any more general questions about the GDPR at this time.
Q:GOTO:SLEEPER_CELL
A: This format is really cool! What is it?
Q: Thanks for noticing! This was built using a markup language called QnA built by David Colarusso.
You can build your own interactive QnA by visiting the QnA Markup Editor (still in beta).
A:I have more questions.
Q:GOTO:MAIN_QUESTIONS
A: I don't have any more general questions about the GDPR at this time.
Q:GOTO:SLEEPER_CELL
A: I have questions about about the GDPR.
Q(GDPR_QUESTIONS): Great. What would you like to know?
A: Okay. Of course I know what the GPDR is. I just want to make sure you do. So.... what is it?
Q: The GDPR is a data privacy law that will affect nearly every firm that does business with folks in the EU It was passed a couple years ago, but it comes into force in May of 2018.
A: Right. I knew that. So, do you know why I should be paying attention to this?
Q: Of course! Most businesses with a web presence will likely encounter folks in the EU, and these businesses, no matter where they are, will need to comply with the GDPR or face heavy penalties.
A: I see. What sorta penalties are we talking about here?
Q: According to Article 83 of the regulation, a firm can face a fine of "up to 20 000 000 EUR, or ... up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher."
A: Wow. Okay. I have more questions about the GDPR.
Q:GOTO:GDPR_QUESTIONS
A: I don't think I have any more questions at this time.
Q:GOTO:SLEEPER_CELL
A: What's the GDPR and why should I care?
Q: The GDPR is a European data privacy law that will impact nearly all firms that store, access, or process data from data subjects within the European Union.
A: Tell me more.
Q: The GDPR is around 87 pages and covers a lot of things!
A: Go on...
Q: If you'd like to read more about the GDPR, you can do so here.
A:Okay. I have other questions.
Q:GOTO:GDPR_QUESTIONS
A: I don't think I have any more questions at this time.
Q:GOTO:SLEEPER_CELL
A: Okay. I have other questions.
Q:GOTO:GDPR_QUESTIONS
A: I don't think I have any more questions at this time.
Q:GOTO:SLEEPER_CELL
A: Got it. I have other questions.
Q:GOTO:GDPR_QUESTIONS
A: I don't have any other questions at this time.
A: What is the scope of the GDPR?
Q: The GDPR applies to "the processing of personal data in the context of activities of an establishment of a controller or a processor in the [EU], regardless of whether the processing takes place in the union or not."
A: What does that mean?
Q: Essentially, that means that the GDPR applies to firms that collect, store, and process data on people in the EU not matter where the data processing takes place.
A:I have more questions
Q:GOTO:GDPR_QUESTIONS
A: I don't have any more general questions about the GDPR at this time.
Q:GOTO:SLEEPER_CELL
A: I have questions about the terms in the GDPR.
Q(GDPR_TERMS): Great! We love answering questions. What would you like to learn about?
A: What does "personal data" mean for the GDPR?
Q: 'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
A: I have another question about GDPR terms.
Q:GOTO:GDPR_TERMS
A: I have another question, but not about GDPR terms.
Q:GOTO:MAIN_QUESTIONS
A: I don't have any more questions.
Q:GOTO:SLEEPER_CELL
A: What does "processing" mean for the GDPR?
Q: 'processing' means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
A: I have another question about GDPR terms.
Q:GOTO:GDPR_TERMS
A: I have another question, but not about GDPR terms.
Q:GOTO:MAIN_QUESTIONS
A: I don't have any more questions.
Q:GOTO:SLEEPER_CELL
A: What is a "controller" in the GDPR?
Q:'controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
A: I have another question about GDPR terms.
Q:GOTO:GDPR_TERMS
A: I have another question, but not about GDPR terms.
Q:GOTO:MAIN_QUESTIONS
A: I don't have any more questions.
Q:GOTO:SLEEPER_CELL
A: What is a "processor" in the GDPR?
Q: 'processor' means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
A: I have another question about GDPR terms.
Q:GOTO:GDPR_TERMS
A: I have another question, but not about GDPR terms.
Q:GOTO:MAIN_QUESTIONS
A: I don't have any more questions.
Q:GOTO:SLEEPER_CELL
A: What is a "consent" in the GDPR?
Q: 'consent' of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
A: I have another question about GDPR terms.
Q:GOTO:GDPR_TERMS
A: I have another question, but not about GDPR terms.
Q:GOTO:MAIN_QUESTIONS
A: I don't have any more questions.
Q:GOTO:SLEEPER_CELL
A: What is a "recipient" in the GPDR?
Q: 'recipient' means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
A: I have another question about GDPR terms.
Q:GOTO:GDPR_TERMS
A: I have another question, but not about GDPR terms.
Q:GOTO:MAIN_QUESTIONS
A: I don't have any more questions.
Q:GOTO:SLEEPER_CELL
A: What is a "third party" in the GDPR?
Q: 'third party' means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data
A: I have another question about GDPR terms.
Q:GOTO:GDPR_TERMS
A: I have another question, but not about GDPR terms.
Q:GOTO:MAIN_QUESTIONS
A: I don't have any more questions.
Q:GOTO:SLEEPER_CELL
A: What is "consent" in the GDPR?
Q: 'consent' of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
A: I have another question about GDPR terms.
Q:GOTO:GDPR_TERMS
A: I have another question, but not about GDPR terms.
Q:GOTO:MAIN_QUESTIONS
A: I don't have any more questions.
Q:GOTO:SLEEPER_CELL
A: What is "pseudonymisation"?
Q: 'pseudonymisation' means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
A: I have another question about GDPR terms.
Q:GOTO:GDPR_TERMS
A: I have another question, but not about GDPR terms.
Q:GOTO:MAIN_QUESTIONS
A: I don't have any more questions.
Q:GOTO:SLEEPER_CELL
A: I don't have any more general questions about the GDPR at this time.
Q:GOTO:SLEEPER_CELL
A: No.
Q:GOTO:SLEEPER_CELL
Q(DORMANT): We can help you understand how the GDPR might affect your business.
What sort of industry are you in and what sorts of questions do you have?
A: Mobile app development
Q:GOTO:MOBILE_APPS
A: Retail.
Q:GOTO:RETAIL
A: Healthcare.
Q:GOTO:HEALTHCARE
A: Sharing/gig/platform economy.
Q:GOTO:PLATFORM
A: Food service/production.
Q:GOTO:FOOD
A: General business.
Q:GOTO:GENERAL_BUSINESS
A: I have questions about enforcement and penalties.
Q:GOTO:PENALTIES
A: I don't have any questions about my business.
Q:GOTO:EUROPA
Q(MOBILE_APPS):Cool! Mobile apps are great.
What are you thinking about?
A: My app isn�t commerce-based. It does not facilitate purchases. Do I still need to worry about the GDPR?
Q: Yes, you might. The GDPR�s application does not turn on transactions being made. If you offer goods or services, irrespective of whether a purchase is required, to data subjects in the EU, or if you monitor their behavior in the EU, then the GDPR will apply to your app.
A: Got it. I have more questions.
Q:GOTO:MOBILE_APPS
A: I see. I'm ready to move on.
Q:GOTO:EUROPA
A:I don�t store the data collected from my app�I partner with a cloud storage provider. Do I still need to worry about all this?
Q:Yes, the GDPR implicates both �controllers� and �processors.� The GDPR also applies to �joint controllers.� Talk to your cloud storage partner, as well as your attorney, about ensuring that your data collection and data processing activities comply with the GDPR.
A: Got it. I have more questions.
Q:GOTO:MOBILE_APPS
A: I see. I'm ready to move on.
Q:GOTO:EUROPA
A: Some of the behavioral data collected from my app could be valuable, and I intend to sell it to partners. Is this allowed?
Q: Maybe not. The GDPR emphasizes �data minimization,� which means data processing should be limited to what is necessary in relation to the purposes for which the data was collected. Additionally, the GDPR requires that personal data only be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes. So, make sure you have a privacy policy, and talk to your attorney about specific data usage activities you intend to carry out.
A: Got it. I have more questions.
Q:GOTO:MOBILE_APPS
A: I see. I'm ready to move on.
Q:GOTO:EUROPA
A: Users accept a set of terms before launching my app and using it. Does that mean I�m good?
Q: Not necessarily. The GDPR requires that requests for consent be presented in a manner which is clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language. Therefore, obtaining consent through acceptance of terms of use must meet the GDPR�s standard. Additionally, you must be able to demonstrate that the data subject consented to the processing of his or her personal data. Talk to your attorney about ensuring that your method of obtaining consent complies with the GDPR.
A: Are there any kinds of data that I�m never allowed to process under the GDPR?
Q:Yes. With narrow exceptions, the GDPR prohibits the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, and data concerning health or data concerning a natural person�s sex life or sexual orientation.
A: Got it. I have more questions.
Q:GOTO:MOBILE_APPS
A: I see. I'm ready to move on.
Q:GOTO:EUROPA
A:Are there policies and procedures I should put in place now to comply with the GDPR?
Q:Yes. The GDPR requires that data controllers implement appropriate technical and organizational measures to ensure that, by default, only personal data which are necessary for each specific purpose of the processing are processed. This applies to the amount of data collected, the extent of their processing, the period of their storage, and their accessibility. Talk to your attorney about how to implement appropriate technical and organizational measures to ensure that any data processing activities comply with the GDPR.
A: Got it. I have more questions.
Q:GOTO:MOBILE_APPS
A: I see. I'm ready to move on.
Q:GOTO:EUROPA
A: I'm curious about other industries.
Q:GOTO:SLEEPER_CELL
Q(RETAIL): Great. So, what's up?
A: Does GDPR apply to me, when my place of business is based outside of Europe?
Q:Yes, it does not matter if your company is in or outside of Europe. If your site interacts with European customers or offers a service or product, then you need to comply GDPR.
A: Got it. I have more questions.
Q:GOTO:RETAIL
A: I see. I'm ready to move on.
Q:GOTO:EUROPA
A: As a shop owner, what can I do on my e-commerce site for GDPR compliance?
Q: GDPR empowers Europeans to control how their data is used. As a result, being GDPR compliant means you cannot assume what your users want. For example, GDPR says, �Silence, pre-ticked boxes or inactivity should not constitute consent.� Therefore, no more automatically subscribing customers to your newsletters
A: Got it. I have more questions.
Q:GOTO:RETAIL
A: I see. I'm ready to move on.
Q:GOTO:EUROPA
A:What type of data can I collect from customers?
Q: Only collecting the data that you need is a great way to limit your exposure. For example, if there is no business value in knowing what company the costumer works for, then GDPR gives you an incentive not to ask.
A: Got it. I have more questions.
Q:GOTO:RETAIL
A: I see. I'm ready to move on.
Q:GOTO:EUROPA
A: What type of good practices do regulators look for from shop owners with e-commerce sites?
Q: Regulators look for transparency and honesty. You want to be able to demonstrate you put your best foot forward to meet the requirements of GDPR. Good practices include placing an �unsubscribe� link next to your �subscribe� link. You can also link directly to your terms and conditions and privacy policy from your site�s footer.
A: Got it. I have more questions.
Q:GOTO:RETAIL
A: I see. I'm ready to move on.
Q:GOTO:EUROPA
A:Besides my e-commerce site, should I be worried about the other online tools I use to interact with costumers?
Q: Yes, GDPR applies to more than just your e-commerce site so make sure your all of your company�s online accounts are in compliance. Think of your company�s accounts on Facebook, MailChimp, Shopify, and other platforms used to interact with consumers.
A: Got it. I have more questions.
Q:GOTO:RETAIL
A: I see. I'm ready to move on.
Q:GOTO:EUROPA
A: What are benefits to GDPR compliance for E-commerce shops, besides not being fined?
Q: Topics related to one�s personal privacy populate all over the web so companies practicing GDPR compliance can use this as a huge selling point. You can leverage attitudes to grow your e-commerce business. Some companies use methods such as informing users of their use of cookies and policy on data privacy as a top-page notification.
A: Got it. I have more questions.
Q:GOTO:RETAIL
A: I see. I'm ready to move on.
Q:GOTO:EUROPA
A: I'm curious about other industries.
Q:GOTO:SLEEPER_CELL
Q(HEALTHCARE): Awesome. How can we help?
A: I won't be operating my start-up in the EU nor will I be offering it to EU residents, does the GDPR still apply?
Q: If your start-up is accessible through the world wide web or other international medium, then it is possible that the GDPR will still apply even if you are not targeting EU residents. The only way to prevent the GDPR from applying would be to have a policy or coding that does not allow access from an EU location of your start-up.
A: Got it. I have more questions.
Q:GOTO:HEALTHCARE
A: I see. I'm ready to move on.
Q:GOTO:EUROPA
A:It's just me (or me and a few friends) creating this startup/IT and putting it into the app stores/www/similar and I won't be offering it for money as this is simply a need I see that needs to be fulfilled and I can fulfill it, does the GDPR still apply to my startup/IT?
Q: Yes, because of the nature of the content, GDPR considers healthcare information to be particularly sensitive information and if you store any EU residents information then you must comply with the GDPR even if you never have more than just 1 employee on the payroll. Generally, a company with 250 or more employees must comply but certain subject matters are considered sensitive and healthcare information is one of those categories.
A: Got it. I have more questions.
Q:GOTO:HEALTHCARE
A: I see. I'm ready to move on.
Q:GOTO:EUROPA
A: I want my startup/IT to eventually go world wide but right now I will just be developing it in a non-EU country, does it make sense to go ahead and make sure the coding is GDPR compliant or is that something I can work up to at a later date?
Q: Considering the sensitive nature of healthcare information and the fact many countries, even non-GDPR companies have strict healthcare information protection laws, it is recommended to go ahead and begin by aiming for compliance. If you already have a system in place, once you open it up to EU residents, then the curve is much less steep as everyone will already be familiar with the dos and don'ts within your organization
A: Got it. I have more questions.
Q:GOTO:HEALTHCARE
A: I see. I'm ready to move on.
Q:GOTO:EUROPA
A: What if I am not collecting data regarding people's healthcare but rather providing users with easy access to health-related information?
Q: If your startup or IT does NOT store or collect any identifiable information about the data subject so that whatever your startup/IT does cannot be traced back to a particular individual natural human being, then it is GDPR compliant. As GDPR requires that the minimum amount of data be collected to carry out the function of the business. So if you are not collecting data then you are in compliance.
A: Got it. I have more questions.
Q:GOTO:HEALTHCARE
A: I see. I'm ready to move on.
Q:GOTO:EUROPA
A: If I am HIPAA compliant am I GDPR compliant? And if I become GDPR compliant, does that make me HIPAA compliant? If not, what's the difference?
Q: Both HIPAA and GDPR require the strict protection of personally identifiable information and the release of the patient/data subjects stored information within one month of the request.
However, there are many significant differences, so being HIPAA compliant doesn't mean your GDPR compliant, and being GDPR compliant doesn't mean you're HIPAA compliant.
A: Got it. I have more questions.
Q:GOTO:HEALTHCARE
A: I see. I'm ready to move on.
Q:GOTO:EUROPA
A: I'm curious about other industries.
Q:GOTO:SLEEPER_CELL
Q(PLATFORM): Awesome. How can we help?
A: I won't be operating my start-up in the EU nor will I be offering it to EU residents, does the GDPR still apply?
Q: If your start-up is accessible through the world wide web or other international medium, then it is possible that the GDPR will still apply even if you are not targeting EU residents. The only way to prevent the GDPR from applying would be to have a policy or coding that does not allow access from an EU location of your start-up.
A: Got it. I have more questions.
Q:GOTO:PLATFORM
A: I see. I'm ready to move on.
Q:GOTO:EUROPA
A: I won't be operating my start-up in the EU nor will I be offering it to EU residents, does the GDPR still apply?
Q: If your start-up is accessible through the world wide web or other international medium, then it is possible that the GDPR will still apply even if you are not targeting EU residents. The only way to prevent the GDPR from applying would be to have a policy or coding that does not allow access from an EU location of your start-up.
A: Got it. I have more questions.
Q:GOTO:PLATFORM
A: I see. I'm ready to move on.
Q:GOTO:EUROPA
A: I have two kinds of users; those who use my platform to provide services, and those who use my platform to connect with service providers. What sorts of data can I keep?
Q: Good question. It's a little complicated. Any data you hold onto should be tied directly to informed user consent. And, you an hold onto that data so long as it is necessary to perform contracted services.
A: Got it. I have more questions.
Q:GOTO:PLATFORM
A: I see. I'm ready to move on.
Q:GOTO:EUROPA
Q(FOOD):Delicious! What sorts of questions do you have?
A: Question 1
Q: Answer 1
A: Got it. I have more questions.
Q:GOTO:FOOD
A: I see. I'm ready to move on.
Q:GOTO:EUROPA
A: Question 2
Q: Answer 2
A: Got it. I have more questions.
Q:GOTO:FOOD
A: I see. I'm ready to move on.
Q:GOTO:EUROPA
A: Question 3
Q: Answer 3
A: Got it. I have more questions.
Q:GOTO:FOOD
A: I see. I'm ready to move on.
Q:GOTO:EUROPA
A: Question 4
Q: Answer 4
A: Got it. I have more questions.
Q:GOTO:FOOD
A: I see. I'm ready to move on.
Q:GOTO:EUROPA
A: Question 5
Q: Answer 5
A: Got it. I have more questions.
Q:GOTO:FOOD
A: I see. I'm ready to move on.
Q:GOTO:EUROPA
A: I'm curious about other industries.
Q:GOTO:SLEEPER_CELL
Q(GENERAL_BUSINESS):What sorts of questions do you have for us?
A: How do I determine if my business falls within the scope of GDPR?
Q:If you offer products and services to Europe you have to comply with the GDPR. The use of a language or a currency generally used in one or more member states in connection with offering goods and services, will indicate an intent to offer products/services in the EU.
A: Got it. I have more questions.
Q:GOTO:GENERAL_BUSINESS
A: I see. I'm ready to move on.
Q:GOTO:EUROPA
A:Am I required to hire a data protection officer?
Q:No, data protection officers are only required for companies who employ over 250 people.
A: Got it. I have more questions.
Q:GOTO:GENERAL_BUSINESS
A: I see. I'm ready to move on.
Q:GOTO:EUROPA
A:What are some things I can do to make sure I get proper consent?
Q:Make sure consent is separate from terms and conditions, no pre-ticked boxes for consent, write it in plain language, cannot be a precondition of service, tell individuals they can withdraw consent, and explain what information is being collected and how it will be used.
A: Got it. I have more questions.
Q:GOTO:GENERAL_BUSINESS
A: I see. I'm ready to move on.
Q:GOTO:EUROPA
A:How does the GDPR define personal data?
Q: The GDPR defines personal data as any information relating to an identified or identifiable natural person. An identifiable natural person can be identified by reference to an identifier such as a name, an identification number, location data, an online identifier or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
A: Got it. I have more questions.
Q:GOTO:GENERAL_BUSINESS
A: I see. I'm ready to move on.
Q:GOTO:EUROPA
A:Can a data subject request access to our internal system(s)?
Q: Yes, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data. Before this is done, the controller must use all reasonable measures to verify the identity of the data subject who is requesting access. Furthermore, a controller should not retain the personal data for reactionary purposes. Instead the controller should set up the business� secure internal database for preventative reasons as well.
A: Got it. I have more questions.
Q:GOTO:GENERAL_BUSINESS
A: I see. I'm ready to move on.
Q:GOTO:EUROPA
A:Does a customer�s prior consent provide legal grounds for processing?
Q:There has been ample debate on this topic. The GDPR states that consent must be explicit, freely given, and the controller is required to demonstrate that consent was given. To determine whether consent was freely given, account shall be taken of whether the performance of a contract is made conditional on the consent to processing data that is not necessary to perform the contract.
A: Got it. I have more questions.
Q:GOTO:GENERAL_BUSINESS
A: I see. I'm ready to move on.
Q:GOTO:EUROPA
A:Will a specific point person be able to assist me with the GDPR?
Q:Data processors will be obliged to appoint a data protection officer (DPO) in some specific circumstances such as when the supplier is processing special data i.e. sensitive data, or if required to do so under Member State law.
This also might not apply if you have fewer than 250 employees.
A: Got it. I have more questions.
Q:GOTO:GENERAL_BUSINESS
A: I see. I'm ready to move on.
Q:GOTO:EUROPA
A: I'm curious about other industries.
Q:GOTO:SLEEPER_CELL
Q(PENALTIES): Shoot!
A:What should I do if my business suffers from a data breach?
Q:If the data breach poses a risk to individuals, the Data Protection Authorities and individuals must be notified within 72 hours without undue delay.
A: Got it. I have more questions.
Q:GOTO:PENALTIES
A: I see. I'm ready to move on.
Q:GOTO:EUROPA
A:What happens if I do not correctly comply with the law?
Q: There are fines for not complying with the law. For small offenses you can be fined 2% of global revenue and for large offenses 4% of global revenue. Make sure you are actively trying to comply with the law because supervisory authorities will likely be more lenient with you.
A: Got it. I have more questions.
Q:GOTO:PENALTIES
A: I see. I'm ready to move on.
Q:GOTO:EUROPA
A:How will my business be penalized if we do not abide by the GDPR?
Q:In general, the GDPR considers the nature, gravity, and duration of the infringements when calculating penalties. The GDPR establishes a tiered approach to penalties for breach. DPAs can impose fines for some infringements of up to the higher of 4 percent of annual worldwide turnover and international transfers. Other specified infringements may attract a fine of up to the higher of 2 percent.
A: Got it. I have more questions.
Q:GOTO:GENERAL_BUSINESS
A: I see. I'm ready to move on.
Q:GOTO:EUROPA
A: I'm curious about other industries.
Q:GOTO:SLEEPER_CELL
Q(SLEEPER_CELL):GOTO:EUROPA
Q(EUROPA): The European Commission has released some Guidance on GDPR in which it answers a bunch of pressing questions. We've built them into this tool. Wanna see it?
A:Yes. That sounds great.
Q(EUROPA_YES):Okay. What are what sorts of areas are you interested in?
A:Application of the GDPR in general.
Q(APPLICATION_YES): Okay. Go ahead
A: To whom does the data protection law apply?
Q:The law applies to:
1)a company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or
2)a company established outside the EU offering goods/services (paid or for free) or monitoring the behaviour of individuals in the EU.
If your company is a small and medium-sized enterprise ('SME') that processes personal data as described above you have to comply with the GDPR. However, if processing personal data isn�t a core part of your business and your activity doesn't create risks for individuals, then some obligations of the GDPR will not apply to you (for example the appointment of a Data Protection Officer ('DPO')). Note that �core activities� should include activities where the processing of data forms an inextricable part of the controller�s or processor�s activities.
A:I see.
Q:Would you like to see some examples?
A: Yes. I would like to see one where the regulation applies.
Q:Your company is a small, tertiary education company operating online with an establishment based outside the EU. It targets mainly Spanish and Portuguese language universities in the EU. It offers free advice on a number of university courses and students require a username and a password to access your online material. Your company provides the said username and password once the students fill out an enrollment form.
Here, the regulation would apply.
A: Got it.
Q:What now?
A: I want to see an example where the GDPR does not apply.
Q:Your company is service provider based outside the EU. It provides services to customers outside the EU. Its clients can use its services when they travel to other countries, including within the EU. Provided your company doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.
Here, the GDPR would not apply.
A:Got it. I have more questions in this area.
Q:GOTO:APPLICATION_YES
A:I have more general questions.
Q:GOTO:EUROPE_YES.
A: Yes. I would like to see one where the regulation does not apply.
Q:Your company is service provider based outside the EU. It provides services to customers outside the EU. Its clients can use its services when they travel to other countries, including within the EU. Provided your company doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.
Here, the GDPR would not apply.
A: Got it.
Q:What now?
A: I want to see an example where the GDPR does apply.
Q:Your company is a small, tertiary education company operating online with an establishment based outside the EU. It targets mainly Spanish and Portuguese language universities in the EU. It offers free advice on a number of university courses and students require a username and a password to access your online material. Your company provides the said username and password once the students fill out an enrollment form.
Here, the regulation would apply.
A:Got it. I have more questions in this area.
Q:GOTO:APPLICATION_YES
A:I have more general questions.
Q:GOTO:EUROPE_YES.
A:Do the rules apply to small-to-medium enterprises?
Q:Yes, the application of the data protection regulation depends not on the size of your company/organisation but on the nature of your activities. Activities that present high risks for the individuals� rights and freedoms, whether they are carried out by an SME or by a large corporation, trigger the application of more stringent rules. However, some of the obligations of the GDPR may not apply to all SMEs.
For instance, companies with fewer than 250 employees don�t need to keep records of their processing activities unless processing of personal data is a regular activity, poses a threat to individuals� rights and freedoms, or concerns sensitive data or criminal records.
Similarly, SMEs will only have to appoint a Data Protection Officer if processing is their main business and it poses specific threats to the individuals� rights and freedoms (such as monitoring of individuals or processing of sensitive data or criminal records) in particular because it�s done on a large scale.
A: Got it.
Q:What now?
A: I have more questions in this area.
Q:GOTO:APPLICATION_YES
A: I have more questions in general.
Q:GOTO:EUROPA_YES
A:Do the data protection rules apply to data about a company?
Q:No, the rules only apply to personal data about individuals, they don�t govern data about companies or any other legal entities. However, information in relation to one-person companies may constitute personal data where it allows the identification of a natural person. The rules also apply to all personal data relating to natural persons in the course of a professional activity, such as the employees of a company/organisation, business email addresses like �forename.surname@company.eu� or employees� business telephone numbers.
A: Got it.
Q:What now?
A: I have more questions in this area.
Q:Cool. The references for this question are Articles 1 and 2 and Recital (14) of the GDPR;
See Judgment of the Court (Second Chamber) of 9 March 2017 in case C-398/15, Manni; and Articles 1, 2, 3; Recitals 13, 14, 15, 18, 19, 21, 22, 23, 24, 25.GOTO:APPLICATION_YES
A: I have more general questions.
Q:Cool. The references for this question are Articles 1 and 2 and Recital (14) of the GDPR;
See Judgment of the Court (Second Chamber) of 9 March 2017 in case C-398/15, Manni; and Articles 1, 2, 3; Recitals 13, 14, 15, 18, 19, 21, 22, 23, 24, 25.GOTO:EUROPA_YES
A:Principles of the GDPR.
Q(PRINCIPLES):What sort of questions do you have?
A:What data can we process and under which conditions?
Q:This is a long one. Okay, so type and amount of personal data you may process depends on the reason you�re processing it (legal reason used) and what you want to do with it. You must respect several key rules, including:
personal data must be processed in a lawful and transparent manner, ensuring fairness towards the individuals whose personal data you�re processing (�lawfulness, fairness and transparency�).
A:Go on.
Q:You must have specific purposes for processing the data and you must indicate those purposes to individuals when collecting their personal data. You can�t simply collect personal data for undefined purposes (�purpose limitation�).
A:Go on.
Q:You must collect and process only the personal data that is necessary to fulfil that purpose (�data minimisation�).
You must ensure the personal data is accurate and up-to-date, having regard to the purposes for which it�s processed, and correct it if not (�accuracy�).
A:Go on.
Q:You can�t further use the personal data for other purposes that aren�t compatible with the original purpose of collection.
You must ensure that personal data is stored for no longer than necessary for the purposes for which it was collected (�storage limitation�).
A:Okay. More please!
Q:You must install appropriate technical and organisational safeguards that ensure the security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technology (�integrity and confidentiality�).
A:Wow. That's a lot. Can you give me an example?
Q:You run a travel agency. When you obtain your clients� personal data, you should explain in clear and plain language why you need the data, how you�ll be using it, and how long you intend to keep it. The processing should be tailored in a way that respects the key data protection principles.
A:Thanks. I have more questions in this area.
Q:The references for these answers are from Article 5(1); Recital 39; Article 29 and Working Party Opinion 03/2013 on purpose limitation (WP 203).GOTO:PRINCIPLES
A:Thanks. I have more questions general questions.
Q:The references for these answers are from Article 5(1); Recital 39; Article 29 and Working Party Opinion 03/2013 on purpose limitation (WP 203).GOTO:EUROPA
A:Okay. I get it and don't need to see an example.
Q:Okay. The references for these answers are from Article 5(1); Recital 39; Article 29 and Working Party Opinion 03/2013 on purpose limitation (WP 203).GOTO:PRINCIPLES
A:I have questions regarding the purpose of data processing.
Q(DATA_PROCESSING): Okay. Go ahead!
A: Can data be processed for any purpose?
Q: No. The purpose for processing of personal data must be known and the individuals whose data you�re processing must be informed. It is not possible to simply indicate that personal data will be collected and processed. This is known as the �purpose limitation� principle.
A: Got it. I have more questions about data processing.
Q:Okay. References for this question come from Article 29 Working Party Opinion 03/2013 on purpose limitation (WP 203).GOTO:DATA_PROCESSING
A: Alright. I have more questions about the principles of the GDPR.
Q:Okay. References for this question come from Article 29 Working Party Opinion 03/2013 on purpose limitation (WP 203).GOTO:EUROPA_YES
A: Okay. I have more general questions.
Q:Okay. References for this question come from Article 29 Working Party Opinion 03/2013 on purpose limitation (WP 203).GOTO:EUROPA_YES
A: Can we use data for another purpose?
Q:Okay. Here we go. Yes, but only in some cases. If your company/organisation has collected data on the basis of legitimate interest, a contract or vital interests it can be used for another purpose but only after checking that the new purpose is compatible with the original purpose.
A:Go on.
Q:The following points should be considered:
The link between the original purpose and the new/upcoming purpose;
The context in which the data was collected (what is the relationship between your company/organisation and the individual?)
A:Go on.
Q:The type and nature of the data (is it sensitive?)
The possible consequences of the intended further processing (how will it impact the individual?)
The existence of appropriate safeguards (such as encryption or pseudonymisation).
A:More please!
Q:If your company/organisation wants to use the data for statistics or for scientific research it is not necessary to run the compatibility test.
If your company/organisation has collected the data on the basis of consent or following a legal requirement, no further processing beyond what is covered by the original consent or the provisions of the law is possible. Further processing would require obtaining new consent or a new legal basis.
A:Wow. That's a lot of information. Can you give me an example?
Q: Sure. Which kind of example?
A: Further data processing is possible.
Q:A bank has a contract with a client to provide the client with a bank account and a personal loan. At the end of the first year the bank uses the client�s personal data to check whether they are eligible for a better type of loan and a savings scheme. It informs the client. The bank can process the data of the client again as the new purposes are compatible with the initial purposes.
A:Okay. What if further data processing isn't possible?
Q:The same bank wants to share the client�s data with insurance firms, based on the same contract for a bank account and personal loan. That processing isn�t permitted without the explicit consent of the client as the purpose isn�t compatible with the original purpose for which the data was processed.
A:Thanks. I have more questions about data processing.
Q:References here are Articles 5(1)(b), 6(4) and 89(1) and Recitals (39) and (50) of the GDPR and Article 29 Working Party Opinion 03/2013 on purpose limitation, 2 April 2013 (WP 203).GOTO:DATA_PROCESSING
A:Got it. I have more questions general questions.
Q:References here are Articles 5(1)(b), 6(4) and 89(1) and Recitals (39) and (50) of the GDPR and Article 29 Working Party Opinion 03/2013 on purpose limitation, 2 April 2013 (WP 203).GOTO:EUROPA_YES.
A: Further data processing isn't possible.
Q: The same bank wants to share the client�s data with insurance firms, based on the same contract for a bank account and personal loan. That processing isn�t permitted without the explicit consent of the client as the purpose isn�t compatible with the original purpose for which the data was processed.
A: Okay. What if further data processing is possible?
Q:A bank has a contract with a client to provide the client with a bank account and a personal loan. At the end of the first year the bank uses the client�s personal data to check whether they are eligible for a better type of loan and a savings scheme. It informs the client. The bank can process the data of the client again as the new purposes are compatible with the initial purposes.
A:Thanks. I have more questions about data processing.
Q:References here are Articles 5(1)(b), 6(4) and 89(1) and Recitals (39) and (50) of the GDPR and Article 29 Working Party Opinion 03/2013 on purpose limitation, 2 April 2013 (WP 203).GOTO:DATA_PROCESSING
A:Got it. I have more questions general questions.
Q:References here are Articles 5(1)(b), 6(4) and 89(1) and Recitals (39) and (50) of the GDPR and Article 29 Working Party Opinion 03/2013 on purpose limitation, 2 April 2013 (WP 203).GOTO:EUROPA_YES
A:How much data can be collected?
Q:Personal data should only be processed where it isn�t reasonably feasible to carry out the processing in another manner. Where possible, it is preferable to use anonymous data. Where personal data is needed, it should be adequate, relevant, and limited to what is necessary for the purpose (�data minimisation�). It�s your company/organisation's responsibility as controller to assess how much data is needed and ensure that irrelevant data isn�t collected.
A: Ahhh. Can I see an example?
Q:Your company/organisation offers car-sharing services to individuals. For those services it may require the name, address and credit card number of your customers and potentially even information on whether the person has a disability (so health data), but not their racial origin.
A:I have more questions about GDPR principles.
Q:Cool. References for this come from Article 5(1)(c) and Recital (39) of the GDPR.GOTO:PRINCIPLES
A:I have more questions about the GDPR.
Q:Cool. References for this come from Article 5(1)(c) and Recital (39) of the GDPR.GOTO:EUROPA_YES
A:For how long can data be kept and is it necessary to update it?
Q:You must store data for the shortest time possible. That period should take into account the reasons why your company/organisation needs to process the data, as well as any legal obligations to keep the data for a fixed period of time (for example national labour, tax or anti-fraud laws requiring you to keep personal data about your employees for a defined period, product warranty duration, etc.).
A: Go on.
Q: Your company/organisation should establish time limits to erase or review the data stored.
By way of an exception, personal data may be kept for a longer period for archiving purposes in the public interest or for reasons of scientific or historical research, provided that appropriate technical and organisational measures are put in place (such as anonymisation, encryption, etc.).
A: Go on.
Q:Your company/organisation must also ensure that the data held is accurate and kept up-to-date.
A: Ah. Can you give me an example? Like if data is kept to long without an update?
Q:Your company/organisation runs a recruitment office and for that purpose it collects CVs of persons seeking employment and who, in exchange for your intermediary services, pay you a fee. You plan to keep the data for 20 years and you take no measures for updating the CVs.
A:Go on.
Q:The storage period doesn�t seem proportionate to the purpose of finding employment for a person in the short to medium term. Moreover, the fact you don�t request updates to CVs at regular intervals renders some of the searches useless for the person seeking employment after a certain amount of time (for instance because that person has gained new qualifications).
A: Got it. I have more questions about GPDR Principles.
Q: Okay. References for this question are from
Article 5(1)(e) and Recital (39) of the GDPR.GOTO:PRINCIPLES
A: Thanks. I have more general questions about the GPDR.
Q: Okay. References for this question are from
Article 5(1)(e) and Recital (39) of the GDPR.GOTO:EUROPA_YES
A: What information must be given to individuals whose data is collected?
Q:At the time of collecting their data, people must be informed clearly about at least:
Who your company/organisation is (your contact details, and those of your DPO if any)
A:Go on.
Q:why your company/organisation will be using their personal data (purposes)
The categories of personal data concerned;
The legal justification for processing their data
A:Go on.
Q:For how long the data will be kept
who else might receive it
Whether their personal data will be transferred to a recipient outside the EU
A:Go on.
Q:that they have a right to a copy of the data (right to access personal data) and other basic rights in the field of data protection (see complete list of rights)
A: ...
Q: Their right to lodge a complaint with a Data Protection Authority (DPA)
Their right to withdraw consent at any time
Where applicable, the existence of automated decision-making and the logic involved, including the consequences thereof.
A:Wow.
Q:Yeah. They also give a complete list of information to be provided.
A: Okay.
Q: They're not done yet. You see, the information may be provided in writing, orally at the request of the individual when identity of that person is proven by other means, or by electronic means where appropriate. Your company/organisation must do that in a concise, transparent, intelligible and easily accessible way, in clear and plain language and free of charge.
A: I assume there's more.
Q: You betcha. When data is obtained from another company/organisation, your company/organisation should provide the information listed above to the person concerned at the latest within 1 month after your company obtained the personal data; or, in case your company/organisation communicates with the individual, when the data is used to communicate with them; or, if a disclosure to another company is envisaged, when the personal data was first disclosed.
A: Okay. And the rest?
Q: Your company/organisation is also required to inform the individual of the categories of data and the source from which it was obtained including if it was obtained from publicly accessible sources. Under specific circumstances listed in Articles 13(4) and 14(5) of the GDPR your company/organisation may be exempted from the obligation to inform the individual. Please check whether that exemption applies to your company/organisation.
A: Got it. I have more questions about GDPR principles.
Q: Okay. References for this question came from Article 12(1), (5) and (7), Articles 13 and 14 and Recitals (58) to (62) of the GDPR and Article 29 Working Party guidelines on transparency.GOTO:PRINCIPLES.
A: Got it. I have more questions about the GDPR in general.
Q: Okay. References for this question came from Article 12(1), (5) and (7), Articles 13 and 14 and Recitals (58) to (62) of the GDPR and Article 29 Working Party guidelines on transparency.GOTO:EUROPA_YES.
A: Public administration and data protection.
Q(PUBLIC_ADMIN): Okay. What sort of thing are you interested in?
A: What are the main aspects of the General Data Protection Regulation (GDPR) that a public administration should be aware of?
Q: A public administration is subject to the rules of the GDPR when processing personal data relating to an individual. It is the responsibility of the national administrations to support regional and local administration in preparing for the application of the GDPR.
A: Go on.
Q: Most of the personal data held by public administrations is usually processed on the basis of a legal obligation or insofar as it is necessary to perform tasks carried out in the public interest or in the exercise of official authority vested in it.
A: Go on.
Q:When processing personal data a public administration must respect key principles, such as:
Fair and lawful processing
Purpose limitation
Data minimisation and data retention.
A:Okay.
Q: In the case of processing on the basis of the law, this law should already ensure that these principles are observed (e.g. the types of data, storage period and appropriate safeguards).
A: Okay.
Q: Prior to processing personal data, individuals must be informed about the processing, such as its purposes, the types of data collected, the recipients, and their data protection rights.
A: There's more?
Q:A public administration is required to appoint a Data Protection Officer (DPO), however a single data protection officer may be designated for several public bodies and therefore be shared amongst them or outsource this work to an external DPO.
A: ...
Q: It must also ensure that appropriate technical and organisational measures have been implemented to secure personal data.
A: ...
Q: If parts of the processing are outsourced to an external organisation (so-called �processor�) there must be a contract or another legal act guaranteeing that the processor provides sufficient guarantees to implement appropriate technical and organisational measures that meet the standards of the GDPR.
A: ...
Q: In cases where personal data held is disclosed accidentally or unlawfully to unauthorised recipients or is temporarily unavailable or altered, the breach must be notified to the Data Protection Authority (DPA) without undue delay and at the latest within 72 hours after having become aware of the breach. The public administration may also need to inform individuals about the breach.
A: We almost done with this?
Q: Yes. You can find more information about the obligations of public administrations under the GDPR in the section �Business and organisations�.
A: Thanks. I have more questions about Public administration and data protection.
Q:Cool. References for this question are Chapter II and IV of the GDPR.GOTO:PUBLIC_ADMIN
A: Got it. I have more questions about the GDPR in general.
Q:Cool. References for this question are Chapter II and IV of the GDPR.GOTO:EUROPA_YES
A: How should requests from individuals be dealt with?
Q: Individuals may contact a public administration to exercise their rights under the GDPR (rights of access, rectification, erasure, restriction, objection, right not to be subject to automated decision-making).
A: Okay.
Q: Note that individuals have a right to object to the processing of personal data by the public administration on grounds of public interest. They must provide the public administration with reasons relating to their particular situation.
The public administration may continue processing the data, and thus deny their request, if it demonstrates compelling legitimate grounds for the processing that override the interests and rights of the individual, or if the data is required for the establishment, exercise or defence of legal claims.
A: Okay.
Q:Individuals don�t have a right to the transmission of data relating to them that is needed for the performance of a task carried out in the public interest or in the exercise of official authority vested in them.
A: Got it.
Q:A public administration must reply to requests from individuals without undue delay, and in principle within 1 month of receipt of the request. It may ask for additional information in order for to confirm the identity of the person making the request.
If the request is rejected the individuals must be provided with the reasons for rejection and informed of their right to file a complaint with the DPA and to seek a judicial remedy.
A: Got it.
Q: Great! If you have more questions, you can see the "Business and organizations" section of the European Commission's site on data protection.
A: Thanks. I have more questions about public administration and data collection.
Q: Awesome. References for this section came form Chapter II and IV of the GDPR.GOTO:PUBLIC_ADMIN
A: I see. I have more questions about the GDPR in general.
Q: Awesome. References for this section came form Chapter II and IV of the GDPR.GOTO:EUROPA_YES
A: What if a public administration fails to comply with the data protection rules?
Q:The question, really, is what doesn't happen. Just kidding.
The Data Protection Authorities have different tools at their disposal in cases of non-compliance.
In the case of a likely infringement, a warning may be issued. In the case of an infringement, the possibilities include: a reprimand or a temporary or definitive ban on the processing. In some countries, public bodies may also be subject to administrative fines. A public administration should check the national data protection law in its country.
A: Okay.
Q: Individuals can claim compensation where a public body is in breach of the GDPR and they have suffered material damages, for example financial loss, or non-material damages, for example reputational loss or psychological distress.
A: Okay.
Q: The GDPR ensures that they will be provided with compensation, regardless of the number of organisations involved in the processing of their data. Compensation can be claimed directly from the public body or before the competent national courts of the EU Member State concerned.
A: Got it.
Q: Okay. Where to now?
A: I have more questions about public administration and data collection.
Q: I knew you would. You can always check out Article 58 and Article 82 to (84)and Recitals (129), (146) to (148), (150) and (151) of the GDPR to see where the info for this question came from.GOTO:PUBLIC_ADMIN
A: I have more questions about public administration and data collection.
Q: I knew you would. You can always check out Article 58 and Article 82 to (84)and Recitals (129), (146) to (148), (150) and (151) of the GDPR to see where the info for this question came from.GOTO:EUROPA_YES
A: Legal grounds for processing data.
Q(LEGAL_GROUNDS): Okay. About which areas do you have questions?
A:Grounds for processing.
Q(DATA_GROUNDS): Okay. About what sort of think would you like to learn?
A:When can personal data be processed?
Q: Your company/organisation can only process personal data in the following circumstances:
with the consent of the individuals concerned;
where there is a contractual obligation (a contract between your company/organisation and a client);
A: Go on.
Q:To meet a legal obligation under EU or national legislation
Where processing is necessary for the performance of a task carried out in the public interest under EU or national legislation
To protect the vital interests of an individual
A: Go on.
Q:For your organisation�s legitimate interests, but only after having checked that the fundamental rights and freedoms of the person whose data you�re processing aren�t seriously impacted. If the person�s rights override your interests, then processing cannot be carried out based on legitimate interest. The assessment as to whether your company/organisation has a legitimate interest for processing override those of the persons concerned depends on the individual circumstances of the case.
A: I think I understand and have other questions.
Q: Are you sure? I have some good examples coming up.
A: Yes, I'm sure. I have other questions.
Q: Okay. Questions about what?
A: The grounds for processing.
Q:Okay. References for this question came from Article 6 and Recitals (40) to (49) of the GDPR and Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC.GOTO:DATA_GROUNDS
A: The GDPR in general
Q:Okay. References for this question came from Article 6 and Recitals (40) to (49) of the GDPR and Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC.GOTO:EUROPA_YES
A: Okay, you've convinced me. Let's see your examples.
Q: Awesome. Just so we're clear: they're not my examples. They're the examples given by the European Commission.
A: Whatever.
Q(DATA_GROUNDS_EXAMPLE): ...
Okay. Which example would you like to see?
A: An example related to consent.
Q:Your company/organisation offers a music app and ask for citizens� consent to process their musical preferences in order to suggest tailored songs and possible concerts to them.
A:Got it. I would like to see more examples.
Q:Okay. References for this question came from Article 6 and Recitals (40) to (49) of the GDPR and Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC.GOTO:DATA_GROUNDS_EXAMPLES
A:Got it. I have more questions about the grounds for processing.
Q:Okay. References for this question came from Article 6 and Recitals (40) to (49) of the GDPR and Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC.GOTO:DATA_GROUNDS
A:Got it. I have more questions about the grounds for processing.
Q:Okay. References for this question came from Article 6 and Recitals (40) to (49) of the GDPR and Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC.GOTO:DATA_GROUNDS
A:Got it. I have more questions about the GDPR in general.
Q:Okay. References for this question came from Article 6 and Recitals (40) to (49) of the GDPR and Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC.GOTO:EUROPA_YES
A: One about contractual obligation.
Q:Your company/organisation sell goods online. It can process data that is necessary to take steps at the request of the individual prior to entering into the contract and for the performance of the contract. So you can process the name, delivery address, credit card number (if payment by card), etc.
A:Got it. I would like to see more examples.
Q:Okay. References for this question came from Article 6 and Recitals (40) to (49) of the GDPR and Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC.GOTO:DATA_GROUNDS_EXAMPLES
A:Got it. I have more questions about the grounds for processing.
Q:Okay. References for this question came from Article 6 and Recitals (40) to (49) of the GDPR and Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC.GOTO:DATA_GROUNDS
A:Got it. I have more questions about the grounds for processing.
Q:Okay. References for this question came from Article 6 and Recitals (40) to (49) of the GDPR and Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC.GOTO:DATA_GROUNDS
A:Got it. I have more questions about the GDPR in general.
Q:Okay. References for this question came from Article 6 and Recitals (40) to (49) of the GDPR and Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC.GOTO:EUROPA_YES
A: Let's talk about legal obligations.
Q:You own a company with employees. In order to obtain social security cover, the law obliges you to provide personal data (for example weekly income of your employees) to the relevant authority.
A:Got it. I would like to see more examples.
Q:Okay. References for this question came from Article 6 and Recitals (40) to (49) of the GDPR and Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC.GOTO:DATA_GROUNDS_EXAMPLES
A:Got it. I have more questions about the grounds for processing.
Q:Okay. References for this question came from Article 6 and Recitals (40) to (49) of the GDPR and Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC.GOTO:DATA_GROUNDS
A:Got it. I have more questions about the grounds for processing.
Q:Okay. References for this question came from Article 6 and Recitals (40) to (49) of the GDPR and Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC.GOTO:DATA_GROUNDS
A:Got it. I have more questions about the GDPR in general.
Q:Okay. References for this question came from Article 6 and Recitals (40) to (49) of the GDPR and Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC.GOTO:EUROPA_YES
A: How about the public interest?
Q: Example: a professional association such as a bar association or a chamber of medical professionals vested with an official authority to do so may carry out disciplinary procedures against some of their members.
A:Got it. I would like to see more examples.
Q:Okay. References for this question came from Article 6 and Recitals (40) to (49) of the GDPR and Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC.GOTO:DATA_GROUNDS_EXAMPLES
A:Got it. I have more questions about the grounds for processing.
Q:Okay. References for this question came from Article 6 and Recitals (40) to (49) of the GDPR and Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC.GOTO:DATA_GROUNDS
A:Got it. I have more questions about the grounds for processing.
Q:Okay. References for this question came from Article 6 and Recitals (40) to (49) of the GDPR and Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC.GOTO:DATA_GROUNDS
A:Got it. I have more questions about the GDPR in general.
Q:Okay. References for this question came from Article 6 and Recitals (40) to (49) of the GDPR and Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC.GOTO:EUROPA_YES
A: One regarding the vital interests of a person.
Q: A hospital is treating a patient after a serious road accident; the hospital doesn't need his consent to search for his ID to check whether that person exists in the hospital's database to find previous medical history or to contact his next of kin.
A:Got it. I would like to see more examples.
Q:Okay. References for this question came from Article 6 and Recitals (40) to (49) of the GDPR and Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC.GOTO:DATA_GROUNDS_EXAMPLES
A:Got it. I have more questions about the grounds for processing.
Q:Okay. References for this question came from Article 6 and Recitals (40) to (49) of the GDPR and Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC.GOTO:DATA_GROUNDS
A:Got it. I have more questions about the grounds for processing.
Q:Okay. References for this question came from Article 6 and Recitals (40) to (49) of the GDPR and Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC.GOTO:DATA_GROUNDS
A:Got it. I have more questions about the GDPR in general.
Q:Okay. References for this question came from Article 6 and Recitals (40) to (49) of the GDPR and Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC.GOTO:EUROPA_YES
A: My organization's legitimate interests.
Q: Your company/organisation ensures network security by monitoring the use of its employees� IT devices. Your company/organisation may legitimately process personal data for that purpose, only if the least intrusive method is chosen as regards the privacy and data protection rights of your employees, for example, by limiting the accessibility of certain websites. (Note that this can�t be done in EU Member States where national law sets out stricter rules for processing in the employment context).
A:Got it. I would like to see more examples.
Q:Okay. References for this question came from Article 6 and Recitals (40) to (49) of the GDPR and Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC.GOTO:DATA_GROUNDS_EXAMPLES
A:Got it. I have more questions about the grounds for processing.
Q:Okay. References for this question came from Article 6 and Recitals (40) to (49) of the GDPR and Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC.GOTO:DATA_GROUNDS
A:Got it. I have more questions about the grounds for processing.
Q:Okay. References for this question came from Article 6 and Recitals (40) to (49) of the GDPR and Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC.GOTO:DATA_GROUNDS
A:Got it. I have more questions about the GDPR in general.
Q:Okay. References for this question came from Article 6 and Recitals (40) to (49) of the GDPR and Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC.GOTO:EUROPA_YES
A: Sensitive Data.
Q(SENSITIVE_DATA): Gotcha. What would you like to know?
A: What personal data is considered sensitive?
Q:The following personal data is considered �sensitive� and is subject to specific processing conditions:
personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs
trade-union membership
genetic data, biometric data processed solely to identify a human being
health-related data
data concerning a person�s sex life or sexual orientation.
A:Got it. Thanks. I have more questions about sensitive data.
Q: Okay. References for this question came from Article 4(13), (14) and (15) and Article 9 andRecitals (51) to (56) of the GDPR.GOTO:SENSITIVE_DATA
A:I see. I have more questions about legal grounds for processing data.
Q: Okay. References for this question came from Article 4(13), (14) and (15) and Article 9 andRecitals (51) to (56) of the GDPR.GOTO:LEGAL_GROUNDS
A:Understood. I have more questions general questions about GDPR.
Q: Okay. References for this question came from Article 4(13), (14) and (15) and Article 9 andRecitals (51) to (56) of the GDPR.GOTO:EUROPA_YES
A: Under what conditions can my company/organisation process sensitive data?
Q: Your company/organisation can only process sensitive data if one of the following conditions is met:
the explicit consent of the individual was obtained (a law may rule out this option in certain cases)
An EU or national law or a collective agreement, requires your company/organisation to process the data to comply with its obligations and rights, and those of the individuals, in the fields of employment, social security and social protection law
A: Go on.
Q: The vital interests of the person, or of a person physically or legally incapable of giving consent, are at stake
You are a foundation, association or other not-for-profit body with a political, philosophical, religious or trade union aim, processing data about its members or about people in regular contact with the organisation
A: Anything else?
Q:The personal data was manifestly made public by the individual
The data is required for the establishment, exercise or defence of legal claims;
The data is processed for reasons of substantial public interest on the basis of EU or national law
A: And?
Q:The data is processed for the purposes of preventive or occupational medicine, assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services on the basis of EU or national law, or on the basis of a contract as a health professional
A:The data is processed for reasons of public interest in the field of public health on the basis of EU or national law
The data is processed for archiving, scientific or historical research purposes or statistical purposes on the basis of EU or national law.
Q: Further conditions may be imposed by national law on the processing of genetic data, biometric data or data concerning health. Check with your National Data Protection Authority.
A: Okay. I would like to see some examples.
Q: What sort of example would you like to see?
A: I would like to see an example where I can process sensitive data.
Q:A doctor sees a number of patients at his clinic. He logs the visit in a database that includes fields such as name/surname of patient, description of symptoms and medication prescribed. That is considered to be sensitive data. The processing of health data by the clinic is allowed under the data protection law because it is required to treat the person and is carried out under the responsibility of a doctor who is subject to an obligation of professional secrecy.
A: Got it. What about an example where I can't process sensitive data?
Q:No problem! Your company sells dresses online. In order to tailor the services to the specific interests of your clients, you ask them to provide you with information about sizes, preferred colour, payment method, name and the address so that the product can be delivered. In addition your company asks for your clients� political views. You need the majority of the information to fulfil your side of the contract. However, clients� political views are not a requirement to make and deliver their dresses. Your company cannot ask for that information under that contract.
A: I see. I have more questions about sensitive data.
Q:Cool. References for this questions come from Article 9 and Recitals (51) to (56) of the GDPR.GOTO:SENSITIVE_DATA
A: Go it. I have more questions about the legal grounds for processing.
Q:Cool. References for this questions come from Article 9 and Recitals (51) to (56) of the GDPR.GOTO:LEGAL_GROUNDS
A: Wonderful. I have more general questions about the GDPR.
Q:Cool. References for this questions come from Article 9 and Recitals (51) to (56) of the GDPR.GOTO:EUROPA_YES
A: How about an example where I can't process sensitive data?
Q:Your company sells dresses online. In order to tailor the services to the specific interests of your clients, you ask them to provide you with information about sizes, preferred colour, payment method, name and the address so that the product can be delivered. In addition your company asks for your clients� political views. You need the majority of the information to fulfil your side of the contract. However, clients� political views are not a requirement to make and deliver their dresses. Your company cannot ask for that information under that contract.
A: Got it. What the example where I can process sensitive data?
Q:Sure thing! A doctor sees a number of patients at his clinic. He logs the visit in a database that includes fields such as name/surname of patient, description of symptoms and medication prescribed. That is considered to be sensitive data. The processing of health data by the clinic is allowed under the data protection law because it is required to treat the person and is carried out under the responsibility of a doctor who is subject to an obligation of professional secrecy.
A: I see. I have more questions about sensitive data.
Q:Cool. References for this questions come from Article 9 and Recitals (51) to (56) of the GDPR.GOTO:SENSITIVE_DATA
A: Go it. I have more questions about the legal grounds for processing.
Q:Cool. References for this questions come from Article 9 and Recitals (51) to (56) of the GDPR.GOTO:LEGAL_GROUNDS
A: Wonderful. I have more general questions about the GDPR.
Q:Cool. References for this questions come from Article 9 and Recitals (51) to (56) of the GDPR.GOTO:EUROPA_YES
A: Got it. I have other questions.
Q: Okay. What do you have questions about?
A: I have more questions about sensitive data.
Q: Okay. References for this questions came from Article 9 and Recitals (51) to (56) of the GDPR.GOTO:SENSITIVE_DATA
A: I have more questions about about the legal grounds for processing.
Q: Okay. References for this questions came from Article 9 and Recitals (51) to (56) of the GDPR.GOTO:LEGAL_GROUNDS
A: I have more questions about the GDPR in general.
Q: Okay. References for this questions came from Article 9 and Recitals (51) to (56) of the GDPR.GOTO:EUROPA_YES
A:Got it. Thanks. I have more questions about sensitive data.
Q: Okay. References for this question came from Article 4(13), (14) and (15) and Article 9 andRecitals (51) to (56) of the GDPR.GOTO:SENSITIVE_DATA
A:I see. I have more questions about legal grounds for processing data.
Q: Okay. References for this question came from Article 4(13), (14) and (15) and Article 9 andRecitals (51) to (56) of the GDPR.GOTO:LEGAL_GROUNDS
A:Understood. I have more questions general questions about GDPR.
Q: Okay. References for this question came from Article 4(13), (14) and (15) and Article 9 andRecitals (51) to (56) of the GDPR.GOTO:EUROPA_YES
A: Are there any specific safeguards for data about children?
Q: Your company/organisation can only process a child�s personal data on grounds of consent with the explicit consent of their parent or guardian up to a certain age. The age threshold for obtaining parental consent varies between 13 and 16 years, depending on the age established in each EU Member State. Check with your National Data Protection Authority.
A: Go on.
Q:A reasonable effort must be made, taking into consideration available technology, to verify that the consent given is truly in line with the law. That means that your company/organisation must implement age-verification measures (for example control questions, actions on the website).
A: Go on.
Q: The consent from the parent or guardian must be obtained if your organisation works on online social networking sites that provide free games to children or family insurance, for example.
If your organisation targets children, you must ensure that any information and communication addressed to a child is easily accessible and in clear and plain language that a child can easily understand.
A: And?
Q: Preventive or counselling services offered directly to a child don�t require parental authorisation since they are aimed at protecting the children�s best interests.
A: Got it. I have more questions about legal grounds for processing.
Q: No problem. References for this question are Articles 8 and 12 and Recitals (38) and (58) of the GDPR.GOTO:LEGAL_GROUNDS
A: I see. I have more questions about the GDPR in general.
Q:Of course. References for this questions are Articles 8 and 12 and Recitals (38) and (58) of the GDPR.GOTO:EUROPA_YES
A: Can data received from a third party be used for marketing?
Q:Before acquiring a contact list or a database with contact details of individuals from another organisation, that organisation must be able to demonstrate that the data was obtained in compliance with the General Data Protection Regulation and that it may use it for advertising purposes. For example, if the organisation acquired it based on consent, the consent should�ve included the possibility to transmit the data to other recipients for their own direct marketing.
A: Okay.
Q:Your company/organisation must also ensure that the list or database is up-to-date and that you don�t send advertising to individuals who objected to the processing of their personal data for direct marketing purposes. Your company/organisation must also ensure that if it uses communication tools, such as email, for the purposes of direct marketing, it complies with the rules set out in the ePrivacy Directive (Directive 2002/58/EC1*).
*Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.07.2002 p.37).
A: Okay.
Q:Such lists are processed on grounds of legitimate interests and individuals will have a right to object to such processing. Your company/organisation must also inform individuals, at the latest at the time of the first communication with them, that you�ve collected their personal data and that you�ll be processing it for sending them adverts.
A: Okay.
Q: Yup. So, want to see an example?
A: Sure!
Q:Two friends, Mrs. A and Mr. B, run, respectively, a gym and a book shop. Each collects data from their respective customers. Mr. B�s book shop isn�t doing well. His client database has few entries and not many people walk into his shop. He tells Mrs. A that he has a new biography of a famous athlete and asks whether Mrs. A�s clients would be interested in receiving advertising about the book.
A: So what?
Q:The terms of Mrs. A�s privacy notice informed her clients that she could share the data with partners offering products in the health and fitness area. As far as specific consent was given for the purpose of transmitting the data to other recipients for their own direct marketing, Mrs. A can send the client list to Mr. B. No data can be sent about an individual who objected to the processing of their personal data.
A: Gotcha.
Q: Okay. What's next?
A: I have more questions about the legal grounds from processing data.
Q:No problem. References for this question came from Articles 4(10), 5, 6, 14 and 21 of the GDPR, Article 29 Working Party Opinion on Transparency, and ePrivacy Directive 2002/58/EC rules on direct marketing, in particular Article 13.GOTO:LEGAL_GROUNDS
A: I have more questions about the GDPR in general.
Q:No problem. References for this question came from Articles 4(10), 5, 6, 14 and 21 of the GDPR, Article 29 Working Party Opinion on Transparency, and ePrivacy Directive 2002/58/EC rules on direct marketing, in particular Article 13.GOTO:EUROPA_YES
A: Nope.
Q: If you say so. What now?
A: I have more questions about the legal grounds from processing data.
Q:No problem. References for this question came from Articles 4(10), 5, 6, 14 and 21 of the GDPR, Article 29 Working Party Opinion on Transparency, and ePrivacy Directive 2002/58/EC rules on direct marketing, in particular Article 13.GOTO:LEGAL_GROUNDS
A: I have more questions about the GDPR in general.
Q:No problem. References for this question came from Articles 4(10), 5, 6, 14 and 21 of the GDPR, Article 29 Working Party Opinion on Transparency, and ePrivacy Directive 2002/58/EC rules on direct marketing, in particular Article 13.GOTO:EUROPA_YES
A: Obligations.
Q(OBLIGATIONS): Cool. What would you like to know about obligations?
A: I have questions about data controllers and processors.
Q(CONTROLLER_PROCESSOR): Okay. What would you like to know?
A: What is a data controller or a data processor?
Q: The data controller determines the purposes for which and the means by which personal data is processed. So, if your company/organisation decides �why� and �how� the personal data should be processed it is the data controller. Employees processing personal data within your organisation do so to fulfil your tasks as data controller.
A: Okay.
Q: Your company/organisation is a joint controller when together with one or more organisations it jointly determines �why� and �how� personal data should be processed. Joint controllers must enter into an arrangement setting out their respective responsibilities for complying with the GDPR rules. The main aspects of the arrangement must be communicated to the individuals whose data is being processed.
A: Hmmm....
Q: The data processor processes personal data only on behalf of the controller. The data processor is usually a third party external to the company. However, in the case of groups of undertakings, one undertaking may act as processor for another undertaking.
A: And?
Q:The duties of the processor towards the controller must be specified in a contract or another legal act. For example, the contract must indicate what happens to the personal data once the contract is terminated. A typical activity of processors is offering IT solutions, including cloud storage. The data processor may only sub-contract a part of its task to another processor or appoint a joint processor when it has received prior written authorisation from the data controller.
A: And?
Q: There are situations where an entity can be a data controller, or a data processor, or both.
A: I see. Can you give me some examples?
Q: Sure. Have a suggestion?
A: I would like to see an example where an entity is both a controller and a processor.
Q:A brewery has many employees. It signs a contract with a payroll company to pay the wages. The brewery tells the payroll company when the wages should be paid, when an employee leaves or has a pay rise, and provides all other details for the salary slip and payment. The payroll company provides the IT system and stores the employees� data. The brewery is the data controller and the payroll company is the data processor.
A: And what about an example where there are joint controllers?
Q:Your company/organisation offers babysitting services via an online platform. At the same time your company/organisation has a contract with another company allowing you to offer value-added services. Those services include the possibility for parents not only to choose the babysitter but also to rent games and DVDs that the babysitter can bring.
A: And?
Q:Both companies are involved in the technical set-up of the website. In that case, the two companies have decided to use the platform for both purposes (babysitting services and DVD/games rental) and will very often share clients� names. Therefore, the two companies are joint controllers because not only do they agree to offer the possibility of �combined services� but they also design and use a common platform.
A: I understand. I have some more questions about controllers and processors.
Q:Sure thing. References for this questions are from Article 4(7) and (8), Articles 24, 26, 28 and 29 and Recitals (74), (79) and (81) of the GDPR and Article 29 Working Party Opinion 1/2010 on the concepts of �controller� and �processor� (WP 169).GOTO:CONTROLLER_PROCESSOR
A: Gotcha. I have some more questions about obligations under the GDPR.
Q:Sure thing. References for this questions are from Article 4(7) and (8), Articles 24, 26, 28 and 29 and Recitals (74), (79) and (81) of the GDPR and Article 29 Working Party Opinion 1/2010 on the concepts of �controller� and �processor� (WP 169).OBLIGATIONS
A: I have some more questions about the GDPR in general.
Q:Sure thing. References for this questions are from Article 4(7) and (8), Articles 24, 26, 28 and 29 and Recitals (74), (79) and (81) of the GDPR and Article 29 Working Party Opinion 1/2010 on the concepts of �controller� and �processor� (WP 169).GOTO:EUROPA_YES
A: I understand. I have some more questions about controllers and processors.
Q:Sure thing. References for this questions are from Article 4(7) and (8), Articles 24, 26, 28 and 29 and Recitals (74), (79) and (81) of the GDPR and Article 29 Working Party Opinion 1/2010 on the concepts of �controller� and �processor� (WP 169).GOTO:CONTROLLER_PROCESSOR
A: Gotcha. I have some more questions about obligations under the GDPR.
Q:Sure thing. References for this questions are from Article 4(7) and (8), Articles 24, 26, 28 and 29 and Recitals (74), (79) and (81) of the GDPR and Article 29 Working Party Opinion 1/2010 on the concepts of �controller� and �processor� (WP 169).OBLIGATIONS
A: I have some more questions about the GDPR in general.
Q:Sure thing. References for this questions are from Article 4(7) and (8), Articles 24, 26, 28 and 29 and Recitals (74), (79) and (81) of the GDPR and Article 29 Working Party Opinion 1/2010 on the concepts of �controller� and �processor� (WP 169).GOTO:EUROPA_YES
A: I understand. I have some more questions about controllers and processors.
Q:Sure thing. References for this questions are from Article 4(7) and (8), Articles 24, 26, 28 and 29 and Recitals (74), (79) and (81) of the GDPR and Article 29 Working Party Opinion 1/2010 on the concepts of �controller� and �processor� (WP 169).GOTO:CONTROLLER_PROCESSOR
A: Got it. I have more questions about obligations under the GDPR.
Q:Okay. References for this questions are from Article 4(7) and (8), Articles 24, 26, 28 and 29 and Recitals (74), (79) and (81) of the GDPR and Article 29 Working Party Opinion 1/2010 on the concepts of �controller� and �processor� (WP 169).GOTO:OBLIGATIONS
A: Okie-dokie. I have more questions about the GDPR in general.
Q:Sure thing. References for this questions are from Article 4(7) and (8), Articles 24, 26, 28 and 29 and Recitals (74), (79) and (81) of the GDPR and Article 29 Working Party Opinion 1/2010 on the concepts of �controller� and �processor� (WP 169).GOTO:EUROPA_YES.
A:Can someone else process the data on my organisation�s behalf?
Q: Someone else (a natural or legal person or any other body) may process personal data on your behalf provided there is a contract or other legal act. It is important that the processor you appoint provides sufficient guarantees to implement appropriate technical and organisational measures to ensure that the processing will meet the standards of the General Data Protection Regulation (GDPR) and to guarantee the protection of the rights of the individuals.
A: Go on.
Q: The appointed processor can�t subsequently appoint another processor without your prior, specific or general written authorisation. The contract or legal act between your company/organisation and the processor should include the following elements...
A: What are they?
Q: The processing can take place only on documented instructions from the controller
The processor ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
A: And?
Q: The processor must offer a minimal security level defined by the controller
The processor must assist in ensuring compliance with the GDPR.
A: Can you give me an example?
Q: A construction company is using a sub-contractor for specific construction work, and provides it with the contact details of the clients where the construction work needs to be done. The sub-contractor further uses the data to send the clients marketing material. The sub-contractor in that case doesn�t qualify merely as a �processor� under the GDPR as the sub-contractor is not only processing personal data on behalf of the construction company, but also further processing it for its own purposes. The sub-contractor is therefore acting as a �data controller�.
A: Okay. How about another?
Q: You�re a retail company that decides to store a back-up version of your client database on a cloud server. To that end you enter into a contract with a cloud provider known for its data protection standards and which also has a certified system of encryption of data. The cloud provider is your processor as by storing the personal data of your clients in its servers it will be processing personal data on your behalf.
A: Got it. I have more questions about controllers and processors.
Q: Sure. References for this question are Article 28 and Recital (81) of the GDPR.GOTO:CONTROLLER_PROCESSOR
A: Okay. I have more questions about obligations.
Q: Sure. References for this question are Article 28 and Recital (81) of the GDPR.GOTO:OBLIGATIONS
A: Alright. I have more questions about controllers and processors.
Q: Sure. References for this question are Article 28 and Recital (81) of the GDPR.GOTO:EUROPA_YES
A: Are the obligations the same regardless of the amount of data my company/organisation handles?
Q: The General Data Protection Regulation (GDPR) is based on the risk-based approach. In other words, companies/organisations processing personal data are encouraged to implement protective measures corresponding to the level of risk of their data processing activities. Therefore, the obligations on a company processing a lot of data are more onerous than on a company processing a small amount of data.
A: Go on.
Q: For example, the probability of hiring a data protection officer for a company/organisation processing a lot of data is higher than for a company/organisation processing a small amount of data (in that case this links to the notion of processing of personal data on a �large scale�). At the same time, the nature of the personal data and the impact of the envisaged processing also play a role. Processing of a small amount of data, but which is of a sensitive nature, for example health data, would require implementing more stringent measures to comply with the GDPR.
A: And?
Q: In all cases, the principles of data protection must be respected and individuals allowed to exercise their rights.
A: Great. I have more questions about obligations under the GDPR.
Q: Okay. The reference for this question is Chapter IV of the GDPR.GOTO:OBLIGATIONS
A: Okay. I have more questions about the GDPR in general.
Q: Okay. The reference for this question is Chapter IV of the GDPR.GOTO:EUROPA_YES
A: What does data protection �by design� and �by default� mean?
Q: Companies/organisations are encouraged to implement technical and organisational measures, at the earliest stages of the design of the processing operations, in such a way that safeguards privacy and data protection principles right from the start (�data protection by design�).
A: Go on.
Q:By default, companies/organisations should ensure that personal data is processed with the highest privacy protection (for example only the data necessary should be processed, short storage period, limited accessibility) so that by default personal data isn�t made accessible to an indefinite number of persons (�data protection by default�).
A: Can you give me an example of data protection by design?
Q: The use of pseudonymisation (replacing personally identifiable material with artificial identifiers) and encryption (encoding messages so only those authorised can read them).
A: Great. Can I see an example of data protection by default?
Q: A social media platform should be encouraged to set users� profile settings in the most privacy-friendly setting by, for example, limiting from the start the accessibility of the users� profile so that it isn�t accessible by default to an indefinite number of persons.
A: Great. I have more questions about obligations under the GDPR.
Q: Okay. The references for this question are Article 25 and Recital 78 of the GDPR.GOTO:OBLIGATIONS
A: Okay. I have more questions about the GDPR in general.
Q: Okay. The references for this question are Article 25 and Recital 78 of the GDPR.GOTO:EUROPA_YES
A: What is a data breach and what do we have to do in case of a data breach?
Q: A data breach occurs when the data for which your company/organisation is responsible suffers a security incident resulting in a breach of confidentiality, availability or integrity. If that occurs, and it is likely that the breach poses a risk to an individual�s rights and freedoms, your company/organisation has to notify the supervisory authority without undue delay, and at the latest within 72 hours after having become aware of the breach.
A: Go on.
Q: If your company/organisation is a data processor it must notify every data breach to the data controller.
A: Got it. Is there more?
Q: If the data breach poses a high risk to those individuals affected then they should all also be informed, unless there are effective technical and organisational protection measures that have been put in place, or other measures that ensure that the risk is no longer likely to materialise.
As an organisation it is vital to implement appropriate technical and organisational measures to avoid possible data breaches.
A: Can you give me an example?
Q: Here's one where the organisation must notify the Data Protection Authority and individuals.
A: I'm ready.
Q:The data of a textile company�s employees has been disclosed. The data included the personal addresses, family composition, monthly salary and medical claims of each employee. In that case, the textile company must inform the supervisory authority of the breach. Since it includes sensitive data, such as health data, the company has to notify the employees as well.
A: Alright.
Q:A hospital employee decides to copy patients� details onto a CD and publishes them online. The hospital finds out a few days later. As soon as the hospital finds out, it has 72 hours to inform the supervisory authority and, since the personal details contain sensitive information such as whether a patient has cancer, is pregnant, etc., it has to inform the patients as well.
A: And?
Q: In that case, there would be doubts about whether the hospital has implemented appropriate technical and organisational protection measures. If it had indeed implemented appropriate protection measures (for example encrypting the data), a material risk would be unlikely and it could be exempt from notifying the patients.
A: Okay. How about one where a company must notify clients and they may then have to notify the Data Protection Agency and individuals?
Q: That's very specific. Have you done this before?
A: ...
Q: Okay, so a cloud service loses several hard drives containing personal data belonging to several of its clients. It has to notify those clients as soon as it becomes aware of the breach. Its clients must notify the DPA and the individuals depending on the data that was processed by the data processor.
A: Got it. I have more questions about obligations under GDPR.
Q: Okay. References for this question are Article 29 Working Party Guidelines on Personal data breach notification under Regulation 2016/679, 3 October 2017 (WP 250) and Articles 4(12), 33 and 34 and Recitals (85) to (88) of the GDPR .GOTO:OBLIGATIONS.
A: Okay. I have more general questions about the GDPR.
Q: Okay. References for this question are Article 29 Working Party Guidelines on Personal data breach notification under Regulation 2016/679, 3 October 2017 (WP 250) and Articles 4(12), 33 and 34 and Recitals (85) to (88) of the GDPR .GOTO:EUROPA_YES.
A: When is a Data Protection Impact Assessment (DPIA) required?
Q:A DPIA is required whenever processing is likely to result in a high risk to the rights and freedoms of individuals. A DPIA is required at least in the following cases...
A: What are they?
Q: A systematic and extensive evaluation of the personal aspects of an individual, including profiling
Processing of sensitive data on a large scale
Systematic monitoring of public areas on a large scale.
A: Okay.
Q:European Data Protection Board, may provide lists of cases where a DPIA would be required. The DPIA should be conducted before the processing and should be considered as a living tool, not merely as a one-off exercise.
A: Got it.
Q:Where there are residual risks that can�t be mitigated by the measures put in place, the DPA must be consulted prior to the start of the processing.
A: Can you give me an example where a DPIA is required?
Q: Okay. A bank screening its customers against a credit reference database; a hospital about to implement a new health information database with patients� health data; a bus operator about to implement on-board cameras to monitor drivers� and passengers� behaviour.
A: And what about one where a DPIA is not required?
Q:A doctor processing personal data of his patients. In that case, there is no need for a DPIA since the processing by the doctors isn�t done on a large scale in cases where the number of patients is limited.
A: Okay. I have more questions about obligations under the GDPR.
Q: No sweat. References for this question are Article 29 Working Party Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is �likely to result in a high risk� for the purposes of Regulation (EU) 2016/679, 4 April 2017 and Articles 35 and 36 and Recitals (89) to (96) of the GDPR.GOTO:OBLIGATIONS
A: Okay. I have more general questions about the GDPR.
Q: No sweat. References for this question are Article 29 Working Party Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is �likely to result in a high risk� for the purposes of Regulation (EU) 2016/679, 4 April 2017 and Articles 35 and 36 and Recitals (89) to (96) of the GDPR.GOTO:EUROPA_YES
A: I have questions about Data Protection Officers (DPOs).
Q(DPOS): Sure thing. What's your question?
A: Does my company/organisation need to have a Data Protection Officer (DPO)?
Q:Your company/organisation needs to appoint a DPO, whether it's a controller or a processor, if its core activities involve processing of sensitive data on a large scale or involve large scale, regular and systematic monitoring of individuals. In that respect, monitoring the behaviour of data subjects includes all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising.
A: Okay.
Q:Public administrations always have an obligation to appoint a DPO (except for courts acting in their judicial capacity).
The DPO may be a staff member of your organisation or may be contracted externally on the basis of a service contact. A DPO can be an individual or an organisation.
A: Can I see some examples?
Q: Sure. A DPO is mandatory when your organization is: a hospital processing large sets of sensitive data; a security company responsible for monitoring shopping centres and public spaces; or, a small head-hunting company that profiles individuals.
A: How about where a DPO might not be mandatory?
Q: Sure. A DPO likely won't be mandatory if you�re a local community doctor and you process personal data of your patients, or you have a small law firm and you process personal data of your clients.
A: Got it. I have some more questions about Data Protection Officers.
Q: Okay. References for this question are Article 29 Working Party Guidelines on the Data Protection Officers, 5 April 2017 (WP 243) and Articles 37 to 39 and Recital (97) of the GDPR.GOTO:DPOS
A: Got it. I have some more questions about obligations under the GPDR.
Q: Okay. References for this question are Article 29 Working Party Guidelines on the Data Protection Officers, 5 April 2017 (WP 243) and Articles 37 to 39 and Recital (97) of the GDPR.GOTO:OBLIGATIONS
A: Got it. I have some more questions about the GPDR in general.
Q: Okay. References for this question are Article 29 Working Party Guidelines on the Data Protection Officers, 5 April 2017 (WP 243) and Articles 37 to 39 and Recital (97) of the GDPR.GOTO:EUROPA_YES
A: What are the responsibilities of a Data Protection Officer (DPO)?
Q: The DPO assists the controller or the processor in all issues relating to the protection of personal data. In particular, the DPO must:
A: Yeah?
Q: Inform and advise the controller or processor, as well as their employees, of their obligations under data protection law
Monitor compliance of the organisation with all legislation in relation to data protection, including in audits, awareness-raising activities as well as training of staff involved in processing operations
A: And?
Q: Provide advice where a DPIA has been carried out and monitor its performance
Act as a contact point for requests from individuals regarding the processing of their personal data and the exercise of their rights
And cooperate with DPAs and act as a contact point for DPAs on issues relating to processing.
A: Anything else I should know?
Q: The organisation must involve the DPO in a timely manner. The DPO must not receive any instructions from the controller or processor for the exercise of their tasks. The DPO reports directly to the highest level of management of the organisation.
A: Got it. I have more questions about Data Protection Officers.
Q: Sure thing. References for this question are Articles 37 to 39 and Recital (97) of the GDPR.GOTO:DPOS
A: Okay. I have more questions about obligations.
Q: Sure thing. References for this question are Articles 37 to 39 and Recital (97) of the GDPR.GOTO:OBLIGATIONS
A: Got it. I have more questions about the GDPR.
Q: Sure thing. References for this question are Articles 37 to 39 and Recital (97) of the GDPR.GOTO:EUROPA_YES
A: What rules apply if my organisation transfers data outside the EU?
Q: In today�s globalised world, there are large amounts of cross-border transfers of personal data, which are sometimes stored on servers in different countries. The protection offered by the General Data Protection Regulation (GDPR) travels with the data, meaning that the rules protecting personal data continue to apply regardless of where the data lands. This also applies when data is transferred to a country which is not a member of the EU (hereinafter referred to as 'third country').
A: And?
Q: The GDPR provides different tools to frame data transfers from the EU to a third country.
A: Like what?
Q: Well, sometimes, a third country may be declared as offering an adequate level of protection through a European Commission decision (�Adequacy Decision�), meaning that data can be transferred with another company in that third country without the data exporter being required to provide further safeguards or being subject to additional conditions. In other words, the transfers to an �adequate� third country will be comparable to a transmission of data within the EU.
A: What else?
Q: in the absence of an Adequacy Decision, a transfer can take place through the provision of appropriate safeguards and on condition that enforceable rights and effective legal remedies are available for individuals. Such appropriate safeguards include...
A: Yeah?
Q: In the case of a group of undertakings, or groups of companies engaged in a joint economic activity, companies can transfer personal data based on so-called binding corporate rules...
A: And...?
Q: Contractual arrangements with the recipient of the personal data, using, for example, the standard contractual clauses approved by the European Commission...
A: And ... ...?
Q: Adherence to a code of conduct or certification mechanism together with obtaining binding and enforceable commitments from the recipient to apply the appropriate safeguards to protect the transferred data.
A: I see. Are there any other big scenarios?
Q: Yes. Finally, if a transfer of personal data is envisaged to a third country that isn�t the subject of an Adequacy Decision and if appropriate safeguards are absent, a transfer can be made based on a number of derogations for specific situations for example, where an individual has explicitly consented to the proposed transfer after having been provided with all necessary information about the risks associated with the transfer.
A: This is pretty complicated. Can you give me an example?
Q: Good idea. So, let's say you're a French company intending to expand its services to South America, notably Argentina, Uruguay and Brazil. The first step would be to check whether those third countries are subject to an Adequacy Decision. In this case, both Argentina and Uruguay have been declared adequate. You�d be able to transfer personal data to those two third countries without any additional safeguards while for transfers to Brazil which is not the subject of Adequacy Decision, you�ll have to frame your transfers by providing appropriate safeguards.
A: Got it. I have some more questions about obligations under the GDPR.
Q: Sure. References for this question are numerous. Chapter V, Articles 44 to 50) and Recitals (101) to (116) of the GDPR
Article 29 Working Party�s latest Working Documents on International transfers Working Document on Adequacy Referential (update of Chapter One of WP 12), WP 254; Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules, WP 256; and Working Document setting up a table with the elements and principles to be found in Processor Binding Corporate Rules, WP 257
See also for reference the European Commission Communication on Exchanging and Protecting Personal Data in a Globalised World, 10 January 2017.GOTO:OBLIGATIONS
A: Understood. I have some more general questions about the GDPR.
Q: Sure. References for this question are numerous. Chapter V, Articles 44 to 50) and Recitals (101) to (116) of the GDPR
Article 29 Working Party�s latest Working Documents on International transfers Working Document on Adequacy Referential (update of Chapter One of WP 12), WP 254; Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules, WP 256; and Working Document setting up a table with the elements and principles to be found in Processor Binding Corporate Rules, WP 257
See also for reference the European Commission Communication on Exchanging and Protecting Personal Data in a Globalised World, 10 January 2017.GOTO:EUROPA_YES
A: How can I demonstrate that my organisation is compliant with the GDPR?
Q: The principle of accountability is a cornerstone of the General Data Protection Regulation (GDPR). According to the GDPR, a business/organisation is responsible for complying with all data protection principles and is also responsible for demonstrating compliance. The GDPR provides businesses/organisations with a set of tools to help demonstrate accountability, some of which have to be mandatorily put in place.
A: Go on.
Q: For example, in specific cases the establishment of a DPO or conducting data protection impact assessments (DPIA) may be mandatory. Data controllers can choose to use other tools such as codes of conduct and certification mechanisms to demonstrate compliance with data protection principles.
A: And?
Q: You may adhere to a Code of Conduct prepared by a business association which has been approved by a DPA. A Code of Conduct may be given EU-wide validity through an implementing act of the Commission.
A: What else?
Q: You may adhere to a certification mechanism operated by one of the certification bodies that have received accreditation from a DPA or a national accreditation body or both, as decided in each Member State law.
A: And?
Q:Both codes of conduct and certification are optional instruments and therefore it is up to your company/organisation to decide whether to adhere to a given code of conduct or to request certification. While your company/organisation still has to respect and comply with the GDPR, adherence to such instruments might be taken into consideration in the case of an enforcement measure against you for a breach of the GDPR.
A: Can you give me an example?
Q: Sure. The umbrella insurance body in the EU Member State of your company/organisation has had a Code of Conduct approved by the supervisory authority. A number of rival insurance firms have adhered to the Code. While adhering is voluntary, the adherence to the Code helps in demonstrating compliance with the GDPR.
A: Okay. I have more questions about obligations under the GDPR.
Q: Sure. References for this question are Article 24, Articles 40, to 43 and Article 83 and Recitals (98), to (100), (148), (150) and (151) of the GDPR.GOTO:OBLIGATIONS
A: Okay. I have more questions about the GDPR.
Q: Sure. References for this question are Article 24, Articles 40, to 43 and Article 83 and Recitals (98), to (100), (148), (150) and (151) of the GDPR.GOTO:EUROPA_YES
A: Dealing with citizens.
Q(CITIZENS): Okay. What would you like to know?
A: How should requests from individuals exercising their data protection rights be dealt with?
Q: Individuals may contact your company/organisation to exercise their rights under the GDPR (rights of access, rectification, erasure, portability, etc.). Where personal data is processed by electronic means, your company/organisation should provide means for requests to be made electronically. Your company/organisation must reply to their request without undue delay, and in principle within 1 month of the receipt of the request.
A: And?
Q: It can ask them for additional information in order to confirm the identity of the person making the request.
If your company/organisation rejects the request then it has to inform the person of the reasons for doing so and of their right to file a complaint with the Data Protection Authority and to seek a judicial remedy.
A: Is that all?
Q: Dealing with requests of individuals should be carried out free of charge. Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, you may charge a reasonable fee or refuse to act.
A: Can you give me an example?
Q: Sure. A person who accessed all his personal data the month before, lodges again the same request for access to the same personal data. You may consider either informing them that you reject their request or requesting a reasonable fee.
A: Gotcha. I have more questions about dealing with citizens.
Q: Okay. References for this question are Article 12 and Articles 15 to 22 and Recitals (59) and( 63) to (71) of the GDPR.GOTO:CITIZENS
A: Okay. I have more questions about the GDPR in general.
Q: Okay. References for this question are Article 12 and Articles 15 to 22 and Recitals (59) and( 63) to (71) of the GDPR.GOTO:EUROPA_YES
A: What personal data and information can an individual access on request?
Q: When someone requests access to their personal data, your company/organisation must...
Confirm whether or not it is processing personal data concerning them
Provide a copy of the personal data it holds about them
And provide information about the processing (such as purposes, categories of personal data, recipients, etc.)
A: Is that all?
Q: Your company/organisation must provide the individual with a copy of their personal data free of charge. However, a reasonable fee can be charged for further copies.
A: And?
Q: The exercise of the right of access is closely linked to the exercise of the right to data portability � to allow the individual to transmit their data to another organisation.
A: Is there anything else?
Q: It is important that, in your company/organisation's Privacy Notice, there is a clear distinction between the two rights. Therefore, both rights need to be briefly mentioned separately.
A: Can you give me an example?
Q: Your company/organisation provides an online social networking service whereby individuals can exchange messages and pictures. A user requests to access their personal data and to verify what personal data which concerns them is processed by your company/organisation.
A: And?
Q: Your company/organisation must confirm that it is processing personal data which concerns them and provide a copy (such as name, contact details, messages and pictures exchanged). Your company/organisation must also provide them with information about the processing � usually that would be in the privacy notice of your service.
A: Gotcha. I have more questions about dealing with citizens.
Q: Okay. References for this question are Article 15 and Recitals (63) and (64) of the GDPR.GOTO:CITIZENS
A: Okay. I have more questions about the GDPR in general.
Q: Okay. References for this question are Article 15 and Recitals (63) and (64) of the GDPR.GOTO:EUROPA_YES
A: Do we always have to delete personal data if a person asks?
Q: The General Data Protection Regulation (GDPR) gives individuals the right to ask for their data to be deleted and organisations do have an obligation to do so, except in the following cases...
A: Which are?
Q: The personal data your company/organisation holds is needed to exercise the right of freedom of expression
There is a legal obligation to keep that data
For reasons of public interest (for example public health, scientific, statistical or historical research purposes).
A: Anything else I should know?
Q: Plenty! If your company/organisation processed data unlawfully it must delete it. In the case of an individual, data collected when they were still a minor must be deleted.
A: And?
Q: With regard to the right to be forgotten online, organisations are expected to take reasonable steps (for example technical measures) to inform other websites that a particular individual has requested the erasure of their personal data.
A: Is that all?
Q: Data can also be kept if it has undergone an appropriate process of anonymisation.
A: Can you give me an example where data need to be deleted?
Q: Sure. Your company/organisation runs a social media platform. A minor uploads photos; however, some years later he decides that the said photos are potentially harming his career prospects. Since the individual was a minor at the time of uploading, you�re obliged to delete the said photos. Furthermore, if the photos have been processed on other websites, your company/organisation must take reasonable steps to inform them that a request to delete the photos was filed.
A: Can you give me an example of data that do not need to be deleted?
Q: Your company/organisation runs an online newspaper. One of your journalists publishes a story on how a politician had laundered money in off-shore banks. The politician requests to remove the story because his personal data is being processed. Since the personal data is used to exercise the right of freedom of expression, your company/organisation is, in principle, not obliged to delete such data. However, this will depend on the national legislation in place.
A: I see. I have more questions about dealing with citizens.
Q: Of course! References for this question are Article 17 and Recitals (65) and(66) of the GDPR and Article 29 Working Party Guidelines on the implementation of the Court of Justice of the European Union judgment on �Google Spain and inc v. Agencia Espa�ola de Protecci�n de Datos (AEPD) and Mario Costeja Gonz�lez� c-131/121 (WP 225).GOTO:CITIZENS
A: Okay. I have more questions about the GDPR in general.
Q: Of course! References for this question are Article 17 and Recitals (65) and(66) of the GDPR and Article 29 Working Party Guidelines on the implementation of the Court of Justice of the European Union judgment on �Google Spain and inc v. Agencia Espa�ola de Protecci�n de Datos (AEPD) and Mario Costeja Gonz�lez� c-131/121 (WP 225).GOTO:EUROPA_YES
A: What happens if someone objects to my company processing their personal data?
Q: Oh boy. So, Individuals have the right to object to the processing of personal data for specific reasons. Whether such a specific situation exists must be examined on a case-by-case basis.
A: And?
Q: They may raise an objection only in cases where a public administration is processing the data in the context of its public tasks or when a company is processing the data on the basis of its legitimate interests. In such cases, your company/organisation may no longer process the data unless it demonstrates that it needs to process it for reasons that override the rights and freedoms of the individual or if the data is necessary for the establishment, exercise or defence of legal claims.
A: Is that all?
Q: Individuals also have a right to object at any time to the processing of their personal data for direct marketing purposes. Direct marketing is understood under the General Data Protection Regulation as any action by a company to communicate advertising or marketing material, aimed at particular individuals.
A: Is there more?
Q: Your company/organisation must inform individuals in its privacy notice or at the latest at the time of the first communication with individuals, that it will be using their personal data for direct marketing and that they have a right to object free of charge. Where a person objects to processing for direct marketing purposes, your company/organisation may no longer process their personal data for such purposes.
A: Can you provide me with an example?
Q: In the insurance sector, very often the personal data is needed for the defence of legal claims in the case of anti-fraud or anti-money laundering measures. In those cases insurance companies may refuse to uphold an individual�s request to object based on reasons that override the rights and freedoms of the individual.
A: Gotcha. I have more questions about dealign with citizens.
Q: Okay. References for the question are Article 21 and Recitals (69) and (70) of the GDPR and
Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC.GOTO:CITIZENS
A: Okay. I have more questions about the GDPR in general.
Q: Okay. References for the question are Article 21 and Recitals (69) and (70) of the GDPR and
Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC.GOTO:GDPR
A: Can individuals ask to have their data transferred to another organisation?
Q: Yes, individuals have the right to data portability, that is to receive from your company/organisation the personal data they provided in a structured machine-readable format, and have it transmitted to another company/organisation. The right may only be exercised where personal data was collected in the context of a contract or on the basis of consent, and such data is processed by automated means.
A: Are there any examples?
Q: Sure. A patient of a private clinic in Belgium is moving to another clinic in Germany. The individual asks the Belgian clinic, which has electronic files on them, to provide them with their personal data in a structured machine-readable format, to be able to transmit the data to the relevant health professionals in Germany.
A: And?
Q: The Belgian clinic should provide them with the personal data in a commonly used open format (e.g. XML, JSON, CSV, etc.). When selecting a data format, the organisation should consider how this format would impact or hinder the individual�s right to re-use the data. For instance, providing an individual with PDF versions of their records may not be sufficient to ensure that personal data is easily re-used.
A: Gotcha. I have more questions about dealing with citizens.
Q: Sure thing. References for this question are Article 20 and Recital 68 of the GDPR and Article 29 Working Party Guidelines on data portability.GOTO:CITIZENS
A: Okay. I have more questions about the GDPR.
Q: Sure thing. References for this question are Article 20 and Recital 68 of the GDPR and Article 29 Working Party Guidelines on data portability.GOTO:EUROPA_YES
A: Are there restrictions on the use of automated decision-making?
Q: Yes, individuals should not be subject to a decision that is based solely on automated processing (such as algorithms) and that is legally binding or which significantly affects them.
A: And?
Q: A decision may be considered as producing legal effects when the individual�s legal rights or legal status are impacted (such as their right to vote for example). In addition, processing can significantly affect an individual if it influences their personal circumstances , their behaviour or their choices (for example an automatic processing may lead to the refusal of an online credit application).
A: ANd?
Q: The use of automated processing for decision-making is authorised only in the following cases...
A: Which are?
Q: For instance, the decision based on the algorithm is necessary (i.e. there must be no other way to achieve the same goal) to enter into or to perform a contract with the individual whose data your company/organisation processed via the algorithm (for example an online loan application)...
A: Or...?
Q: A particular European or national law allows the use of algorithms and provides for suitable safeguards to protect the individual�s rights, freedoms and legitimate interests (for example anti-tax evasion regulations)...
A: Or...?
Q: The individual has explicitly given his consent to a decision based on the algorithm.
A: Anything else?
Q: However, the decision taken needs to protect the individual�s rights, freedoms and legitimate interest, by implementing suitable safeguards. Except where such decision-making is based on a law, the individual must be at least informed of (i) the logic involved in the decision-making process, (ii) their right to obtain human intervention, (iii) the potential consequences of the processing and (iv) their right to contest the decision.
A: And?
Q:Your company/organisation must therefore make the required procedural arrangements to allow the individual to express their point of view and to contest the decision.
A: Is there something else?
Q: Finally, particular attention should be given if the algorithm uses special categories of personal data: automated decision-making is only allowed in the following circumstances...
A: Which are?
Q: The individual has given their explicit consent;
Or the processing is necessary for reasons of substantial public interest under European or national law.
A: Anything more?
Q: Furthermore, if the individual is a child, decisions made solely on automated processing that produce legal effects or effects which are of similar significance for the child should be avoided, because children represent a more vulnerable group of society.
A: Can you give me an example?
Q: Your company/organisation is an online bank offering loans. Clients insert their data and an algorithm produces results on whether they should be offered a loan or not and the suggested interest rate. Your company/organisation needs to review the said decision before communicating to the prospective client and inform him that he may express his opinion and eventually contest the decision, keeping in mind that the individual has the right not to be subject to a decision based on algorithms.
A: Cool. I have more questions about dealing with citizens.
Q: Gotcha. References for this question are Articles 4(4) and 22 and Recitals (71) and (72) of the GDPR and Article 29 Working Party Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 (WP 251).GOTO:CITIZENS
A: Okay. I have more questions about dealing with citizens.
Q: Okay. References for this question are Articles 4(4) and 22 and Recitals (71) and (72) of the GDPR and Article 29 Working Party Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 (WP 251).GOTO:EUROPA_YES
A: Enforcement.
Q(ENFORCEMENT): What are your enforcement questions?
A: What is the role of the Data Protection Authority?
Q:One of the roles of the DPA is to publish expert advice on data protection issues. It informs the general public on the rights and obligations related to data protection and in particular the General Data Protection Regulation (GDPR). One relevant example is the obligation imposed on the DPAs to establish and make public a list of processing operations that require a data protection impact assessment.
A: Go on.
Q: Some DPAs have already established handbooks and other tools to help businesses understand their obligations under the GDPR and individuals understand their rights. In addition, Article 29 Working Party, which is the group of national European DPAs (which will be replaced by the European Data Protection Board), has produced a number of documents interpreting the provisions of data protection law. The DPA can�t, however, give advice in individual cases or replace a competent lawyer.
A: And?
Q:Your company/organisation does not need to notify the DPA that it processes data. However, prior consultation with the DPA is required when a DPIA indicates that the processing of the data would pose a high risk and residual risks remain despite the implementation of several safeguards.
A: Anything else?
Q: Yes. Your company/organisation would also need to contact the DPA in the case of a data breach. For some specific types of data processing, national laws might still require your company/organisation to obtain an authorisation from your DPA.
A: Can you give me an example?
Q: You own a shop selling household goods. You process client data such as delivery addresses and billing details required in the nature of your business. In this case you don�t need to notify the DPA.
A: Okay. I have more questions about enforcement of the GDPR.
Q: Sure. References for this question are Chapter IV and Chapter VI of the GDPR WP 29 guidelines on the GDPR, especially the guidelines on the DPIA and guidelines on data breach notifications.GOTO:ENFORCEMENT
A: Okay. I have more questions about the GDPR.
Q: Sure. References for this question are Chapter IV and Chapter VI of the GDPR WP 29 guidelines on the GDPR, especially the guidelines on the DPIA and guidelines on data breach notifications.GOTO:EUROPA_YES
A: What is the European Data Protection Board (EDPB)?
Q: The EDPB is an EU body in charge of the application of the General Data Protection Regulation (GDPR) as of 25 May 2018. It�s made up of the head of each DPA and of the European Data Protection Supervisor (EDPS) or their representatives. The European Commission takes part in the meetings of the EDPB without voting rights. The secretariat of the EDPB is provided by the EDPS.
A: And?
Q: The EDPB will be at the centre of the new data protection landscape in the EU. It will help ensure that the data protection law is applied consistently across the EU and work to ensure effective cooperation amongst DPAs.
A: And?
Q: The Board will not only issue guidelines on the interpretation of core concepts of the GDPR but also be called to rule by binding decisions on disputes regarding cross-border processing, ensuring therefore a uniform application of EU rules to avoid the same case potentially being dealt with differently across various jurisdictions.
A: Okay. I have more questions about enforcement of the GDPR.
Q: Sure. References for this question are Articles 63 to 76 and Recitals (135) to (140) of the GDPR.GOTO:ENFORCEMENT
A: Okay. I have more questions about the GDPR.
Q: Sure. References for this question are Articles 63 to 76 and Recitals (135) to (140) of the GDPR.GOTO:EUROPA_YES
A: What happens if my company processes data in different EU Member States?
Q:The General Data Protection Regulation (GDPR) applies throughout the EU � one set of data protection rules for all EU Member States. This spares your company/organisation the need to get to grips with several different laws.
A: Is there more?
Q: In certain areas, EU Member States can further specify the application of the rules of the GDPR (for example employment rules; public health sector; rules on reconciliation between freedom of expression and data protection). The GDPR also introduces the so called �one-stop-shop� mechanism, which ensures cooperation between the Data Protection Authorities (DPAs) in the case of cross-border processing.
A: Anything else?
Q: If your company/organisation is processing data in different countries, the competent DPA � which will be the lead authority in its dealings with other concerned DPAs in the EU � is the DPA of the EU Member State where it has the main establishment.
A: How do you determine where the main establishment is? What does that mean?
Q: The main establishment is the company/organisation's central administration in the EU unless decisions about the purposes and means of processing of personal data are taken in another establishment and that establishment has the power to implement those decisions.
A: Oh.
Q: If your company/organisation processes data in order to fulfil an obligation under the national law of an EU Member State, only the DPA of that EU Member State is competent.
A: Can you give me an example?
Q: A textile company�s main establishment (that is to say its headquarters) is in Italy. It has satellite shops in neighbouring countries such as Malta, Greece, France and Austria. In those neighbouring countries, its satellite shops set up databases which process customers� personal data for marketing purposes.
A: ...
Q: However, the decisions on �how� to contact the said customers, �when� and �why� are taken at the headquarters in Italy. Thus, in this case, the decision on the processing of personal data for marketing purposes is deemed to be made in Italy. The Italian DPA is the lead authority for your company/organisation.
A: Gotcha. I have more questions about enforcement.
Q: Okay. References for this question are Article 29 Working Party Guidelines on the Lead Supervisory Authority and its annex (Frequently asked questions), 5 April 2017 and Articles 4(23), 55, 56 and 60 to 70 and Recitals (124) (140) of the GDPR.GOTO:ENFORCEMENT
A: Gotcha. I have more questions about the GDPR in general.
Q: Okay. References for this question are Article 29 Working Party Guidelines on the Lead Supervisory Authority and its annex (Frequently asked questions), 5 April 2017 and Articles 4(23), 55, 56 and 60 to 70 and Recitals (124) (140) of the GDPR.GOTO:EUROPA_YES
A: Resources to read more about the GDPR.
Q: You can find all sorts of handy things here at the site for the European Commission.
A:Gotcha.
Q: Ready to move on?
A: Yes.
Q:GOTO:EU_DISCLAIMER
A: No. I have more questions about the GDPR.
Q:Okay.GOTO:EUROPA_YES
A:I'm ready to move on.
Q:GOTO:EU_DISCLAIMER
A:No thanks. I'm ready to go on.
Q:GOTO:EU_DISCLAIMER
Q(EU_DISCLAIMER): The information and guidance in this tool are intended to contribute to a better understanding of EU data protection rules.
A: I understand.
Q:This is intended purely as a guidance tool � only the text of the General Data Protection Regulation (GDPR) has legal force. As a consequence, only the GDPR is liable to create rights and obligations for individuals. This guidance does not create any enforceable right or expectation.
A: I see and agree.
Q: The binding interpretation of EU legislation is the exclusive competence of the Court of Justice of the European Union. The views expressed in this guidance are without prejudice to the position that the Commission might take before the Court of Justice.
A: I understand and acknowledge.
Q: Neither LTL, BLIP, nor the creators of and contributors to this tool, nor David Colarusso (creator of QnA Markup), nor the European Commission nor any person acting on behalf of the European Commission is responsible for the use which might be made of the information contained in this tool.
A: I understand and agree.
Q: As this guidance reflects the state of the art at the time of its drafting, it should be regarded as a 'living tool' open for improvement and its content may be subject to modifications without notice.
A: I understand and affirm.
Q: Great. This was last updated on May 10, 2018.
Are you ready to move on?
A: Yes.
Q:GOTO:POINT_OF_NO_RETURN
A: No.
Q: What's up?
A: I don't agree with some of the stuff we've just discussed.
Q: This is an educational only an educational tool that provides you with information. It is a collaborative effort designed to assist small business owners and entrepreneurs with some background on the GDPR, and, at the next stage, to help them draft a letter intended for an attorney to help focus the conversation. If, for some reason, you don't agree with us here or you have questions, you an send us a message.
A: Okay. I don't feel comfortable going any further.
Q: I'm afraid we can't go any further with you if you have these kinds of concerns.GOTO:ENDRUN
A: I understand and would like to continue.
Q:GOTO:POINT_OF_NO_RETURN
Q(POINT_OF_NO_RETURN): We're about to move on to the next section where we'll ask you some questions.
A: Cool. I'm ready.
Q:GOTO:LAUNCHPAD
A: WAIT!!! I want to go back!.
Q: Okay. No problem! What sort of questions do you have?
A: I want have questions about this tool.
Q:GOTO:TOOL_QUESTIONS
A: I have general questions about the GDPR.
Q:GOTO:GDPR_QUESTIONS
A: I want to see the EU's Guidance again.
Q:GOTO:EUROPA_YES
A: I changed my mind. I don't have any more questions at this time and am ready to move on.
Q:GOTO:LAUNCHPAD
Q(LAUNCHPAD): So, the tool is now in two places. To advance to the next section, click here to go to the next step.
Q(ENDRUN): Thanks for stopping by.