Privacy and Data Protection based on the GDPR. Leo Besemer
II is the backbone of this book. We start with the main characters. Who are those ‘stakeholders’? Who is responsible, who is accountable and for what exactly? What responsibilities, duties, rights and obligations are associated with the role they have? The controller, responsible and accountable for compliance with the GDPR, including the implementation of the principles of personal data processing and the principles of data protection by design and by default. The processor, processing personal data on instruction of the controller, but unlike before also responsible for their own compliance to the GDPR. And the data protection officer as an independent advisor, facilitating a seamless merger between the company’s interests and compliance to the GDPR.
We then move on to the practical side of things. The principles for processing personal data are included in Chapter 3, requiring amongst others that processing shall be lawful. Chapter 4 details the six lawful grounds for processing. Chapter 5 covers the rights of the data subject, the individual whose personal data is to be processed. That includes what kind of requests executing those rights an organization should expect and how to deal with those requests in an effective and efficient manner.
Chapter 6 deals with data governance, with methods to responsibly deal with the valuable data of an organization within the requirements set by the GDPR. The last chapter of this part, Chapter 7, examines modern techniques such as tracking and tracing for the collection of personal data and its further processing, and the area of tension between, on the one hand artificial intelligence and machine learning, which form the basis for valuable services and, on the other hand, the requirements set by the law to protect the citizen whose personal data is required for this.
Part III deals with international transfers of data. The concept of data transfer and the rules regarding hiring processors in third countries. The protection of individuals in the EEA from risks of controllers processing their data through websites based in third countries, and of storage in the cloud, which in practice may amount to a server park somewhere in a distant country. And the rules for transfers within the EEA and from the EEA to third countries, including data transfer to the USA and the United Kingdom.
Part IV is about assessment of the risks of processing and also mitigating those risks. Chapter 10 details the data processing impact assessment (DPIA), assessing the risks to the data subjects and their data caused by a processing operation, but also the risks for the organization. Chapter 11 covers data breaches and mitigating the consequences of such a security incident, including the mandatory procedures on investigation and notification.
Part V covers the framework of supervisory authorities (DPAs), each monitoring implementation of the GDPR in their own territory but also cooperating strongly to maintain harmonization. Their legitimate basis, competencies, tasks and powers. The role of the DPA in enforcement: inspections, warnings and administrative fines.
In this book I refer to a “supervisory authority” as the concept of an authority overseeing international cooperation, and to “data protection authority” (DPA) as the national (or regional) institution with its tasks and responsibilities. In the context of the GDPR there is no real difference between the terms mentioned here.
The Appendices contain sources and references. The literature used in writing this book and for further reading, among them the publications of the EDPB, extensively detailing the concepts and articles of the GDPR. And there is an index to help you find the topics you are looking for.
References to the GDPR
In this book I will often provide references to the General Data Protection Regulation, both in footnotes and by quoting parts of the legal text, like this:
1. Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes (…)
GDPR Article 5
In a footnote, and indeed also in other literature on this topic, the second sentence of the article quoted above would be referred to as GDPR Article 5(1)(a), which is pronounced as Article 5, paragraph 1, subparagraph a. The ellipsis (…) in the second subparagraph is to indicate that the quote does not contain the complete GDPR article. GDPR Article 5 actually consists of two paragraphs, of which the first paragraph is subdivided in six subparagraphs (a through f).
Preceding the 99 articles, the GDPR also contains 173 recitals:
Whereas:
(1) The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (the ‘Charter’) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) provide that everyone has the right to the protection of personal data concerning him or her.
GDPR Recital (1)
This (first) recital of the GDPR would be referenced to as GDPR Recital (1), with (Arabic) figures enclosed in brackets. The recitals are a very important part of the GDPR, as they provide context and explanation of the meaning of the articles. You cannot fully understand the meaning of the articles, their intention, scope and reach, without taking the corresponding recitals into consideration. Unfortunately, the text of the GDPR does not indicate which recitals a specific article relates to. One must read through the whole document to see the connections. Or take the better alternative: read this book.
PART I | Privacy and data protection history and scope
In this first part of the book we look into the history of privacy and data protection law. The need for privacy has increased tremendously over the past century, fueled by advancements in technology that offer ever more opportunities to collect information about individuals. The concept of privacy as a fundamental right was only established after, and undoubtedly also as a result of, the Second World War. Chapter 1 describes how the right to privacy was incorporated in treaties and later in law, and how this ultimately led to the General Data Protection Regulation (GDPR) which is applicable law in the EU and the Member States of the European Economic Area.
We then move on to the context in which the GDPR interacts with other European law and with national law in the Member States. We sometimes tend to forget how much legislative power we have given to the EU. Based on the Treaty on the Functioning of the European Union (TFEU), however, the GDPR as a European regulation not only interacts with national law, it supersedes it.
The GDPR is very important for anyone who processes personal data on European residents in any way, but the scope of the law is not unlimited. That is what the rest of Chapter 1 is devoted to. Questions like “can we still send season’s greetings” and “what about the rowing club’s list of members” are answered there.
1 History and context
Key subjects
In this chapter we will cover: