1. Legenda
1.1. Hoofdstukken uit het boek blauw
1.2. Paragraaf of getitelde sectie uit boek in vet
1.3. Opsomming/onderverdeling in vet en geel
2. II. Historical and Legal Context of the General Data Protection Regulation
2.1. Two main actors
2.1.1. Council of Europe (CoE)
2.1.2. European Union (EU)
2.2. Fundamental human rights and freedoms
2.2.1. e.g.
2.2.1.1. the right to equality
2.2.1.2. freedom of thought
2.3. 1. Legal Instruments of the Council of Europe and the European Union
2.3.1. 1.1 The Council of Europe (CoE)
2.3.1.1. International organisation
2.3.1.2. Based in Strasbourgh
2.3.1.3. Founded in 1949
2.3.1.4. Founded to protect and promote
2.3.1.4.1. democracy
2.3.1.4.2. human rights
2.3.1.4.3. the rule of law in Europe
2.3.1.5. Has 47 member states
2.3.1.5.1. 27 are Member States of the EU
2.3.1.6. Committee of Ministers
2.3.1.6.1. CoE's maim decission-making body
2.3.1.6.2. Foreign ministers of the 47 member states
2.3.1.6.3. Acts on behalf of the CoE and decides what actions are required to further the aims and objectives of the organisation
2.3.1.7. Important part in international law
2.3.1.8. Three main types of documents as instruments
2.3.1.8.1. to take legislative measures
2.3.1.8.2. to promote its values
2.3.1.8.3. to advise to its member states
2.3.1.8.4. Treaties (or conventions or covenants)
2.3.1.8.5. Resolutions
2.3.1.8.6. Declarations
2.3.2. 1.2 The European Union (EU)
2.3.2.1. Association of 27 European countries
2.3.2.2. founded to create political and economic unity between states which are wholly or partially in Europe
2.3.2.3. Historie
2.3.2.3.1. Product of a gradual integration process, started out as economic coorporation between Western-European countries
2.3.2.3.2. 1952
2.3.2.3.3. 1957
2.3.2.3.4. Over time, European countries developed a desire for greater economic, monetary, political and cultural integration
2.3.2.3.5. 1992
2.3.2.4. Decision-making
2.3.2.4.1. EU's overall political direction and priorities are set by the European Council
2.3.2.4.2. European Commission
2.3.2.4.3. Main decision-making bodies:
2.3.2.4.4. Most EU laws are adopted through 'ordinary legislative procedure' (co-decision)
2.3.2.5. Legal instruments
2.3.2.5.1. 4 types of binding legislative instruments (to pursue laws)
2.4. 2. The Right to Privacy and the Right to Data Protection in Europa
2.4.1. TO DO
3. III. The House of Data Protection
3.1. 1. Terms and Scope
3.1.1. 1.1 Personal Data
3.1.1.1. GDPR's main objective: "Lay down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data"
3.1.1.2. 1.1.1 Definition of personal data
3.1.1.2.1. "Any information relating to an identified or identifiable natural person (data subject)" (4 criteria)
3.1.1.2.2. Application of the definition of "personal data"
3.1.1.3. 1.1.2. Data masking and identifiablility: pseudonomysation and anonymisation
3.1.1.3.1. How does these influence the data subject's identifiablilty
3.1.1.3.2. Pseudonymisation
3.1.1.3.3. Anonymisation
3.1.2. 1.2 Processing
3.1.2.1. 1.2.1 Definition of processing
3.1.2.1.1. Processing: "any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction"
3.1.2.1.2. Anything that can be done with personal data
3.1.2.1.3. Any activity that involves or affects personal data in any way, disregarding whether the activity is performed by hand or by machine
3.1.2.1.4. Anonymisation
3.1.2.2. 1.2.2 Processing activities within and outside the scope of the GDPR
3.1.2.2.1. The GDPR applies to any activity that involves or affects personal data, disregarding the data are computerised or paper-based
3.1.2.2.2. The GDPR applies to processing activities carried out by
3.1.2.2.3. 6 types of processing activities that are exempted
3.1.3. 1.3 Key Date Protection Roles
3.1.3.1. 1.3.1 Data subject
3.1.3.1.1. "an identified or identifiable natural person, who can be identified, directly or indirectly, in particular by reference to an identifier or to one or more factors specific to the identity of that natural person"
3.1.3.1.2. Is a living individual
3.1.3.1.3. Can be distinguished form all other individuals within a group of persons, based on information that
3.1.3.1.4. Is the individual to whom the personal data refers
3.1.3.1.5. Goals of all data subject rights: To ensure that data subjects possess sufficient ...
3.1.3.1.6. 10 data subject rights. The right ...
3.1.3.1.7. Controllers are obliged to compy with, and facilitate the exercise of all data subject rights
3.1.3.2. 1.3.2 Controller and joint controllers
3.1.3.2.1. "The natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data" Article 4 (7)
3.1.3.2.2. Primary control over a processing operation and the personal data affected by it
3.1.3.2.3. Key decision-maker who determines the most essential aspects of the processing
3.1.3.2.4. The entity who possesses "factual influence" over the processing
3.1.3.2.5. Primary responsible for any processing carried out by the controller or on the controller's behalf
3.1.3.2.6. Accountable
3.1.3.2.7. Ultimately responsible for achieving and demonstrating compliance with the Regulation's provisions
3.1.3.2.8. Liable for any damage caused by data breaches or non-compliance with the GDPR
3.1.3.2.9. Joint controllers
3.1.3.3. 1.3.3 Processor and sub-processor
3.1.3.3.1. "natural or legal person which processes personal data on behalf of the controller" (Article 4 (8)
3.1.3.3.2. Is a separate entity with respect to the controller who executes processing activities at the request of the controller and in line with the controller's instruction
3.1.3.3.3. 2 ways a controller can engage a processor
3.1.3.3.4. Sub-processors
3.1.3.3.5. To give effect to the controller's accountability obligation, it is very important to unambiguously identify the entity that assumes the role of controller in respect of a processing activity
3.1.3.3.6. Roles of controllers and processors are not absolute
3.1.3.4. 1.3.4 Representative
3.1.3.4.1. Non-EU controllers and processors
3.1.3.4.2. Must be
3.1.3.4.3. Is a designated liaison body between
3.1.3.4.4. Has not to be a lawyer or security expert
3.1.3.4.5. Designation of a representative does not relieve a controller or processor from any responsibility for GDPR-compliance
3.1.3.5. 1.3.5 Third party
3.1.3.5.1. "a natural or legal person other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data" (Article 4 (10)
3.1.3.5.2. Any actor who has no specific authorisation from the controller or processor to perform processing activities in relation to the personal data
3.1.3.6. 1.3.6 Recipient
3.1.3.6.1. "any natural or legal person, public authority, agency or another body, to which the personal data are disclosed" (Article 4 (9))
3.1.3.6.2. Any individual or organisation that has been given access to the personal data
3.1.3.6.3. All parties, authorised or unauthorised, to whom the personal data have been made availablt by the controller of processor
3.1.3.6.4. From the controller's perspective, "recipient" encompasses other independent (joint) controllers as well as processors and third parties
3.1.3.6.5. The GDPR does not regard public authorities as recipients, insofar as the perosnal data are disclosed to these public authorities in accordance with a legal obligation for the exercise of their official mission
3.1.3.7. 1.3.7 Data Protection Officer (DPO)
3.1.3.7.1. also referred as "Privacy Officer" in sources other than the GDPR
3.1.3.7.2. Is an employee or a third-party entity appointed by the controller of processor on a mandatory or voluntary basis to assist the controller or processor in data protection issues and to adcise the controller or processor on GDPR-compliance
3.1.3.7.3. <nader uitwerken>
3.1.3.8. 1.3.8 Supervisory authority
3.1.3.8.1. also referred as "(national) Data Protection Authority (DPA)" in sources other than the GDPR
3.1.3.8.2. Independent authority
3.1.3.8.3. Monitors and enforces the consistent application of the GDPR and other data protection laws in Member States
3.1.3.8.4. Each Member State is required to appoint one or more public authorities to fulfill this role (Article 51)
3.1.3.8.5. All controllers and processors are subject to the supervision of the data protection authority of their main establishment
3.1.3.8.6. Cross-border processing
3.1.3.8.7. Various powers (Article 58)
3.1.3.8.8. Tasks (include but not limited to) (Article 57)
3.1.3.8.9. Required to perform its tasks free of charge for the data subject and the DPO
3.1.3.9. 1.3.9 European Data Protection Supervisor (EDPS)
3.1.3.9.1. Supervises the processing of personal data by EU institutions and bodies
3.1.3.9.2. Monitors personal data processing by the EU
3.1.3.9.3. Advises EU institutions and bodies on different aspects of personal data processing, related policies and legislation
3.1.3.9.4. Handles data subjects complaints
3.1.3.9.5. Cooperates with the national supervisory authorities to ensure consistency in data protection
3.1.3.9.6. Monitors new technologies that might have impact on data protection
3.1.3.10. 1.3.10 European Data Protection Board (EDPB)
3.1.3.10.1. Based in Brussel
3.1.3.10.2. Independent European body
3.1.3.10.3. Composed of
3.1.3.10.4. Accrediting data protection certification bodies
3.1.3.10.5. Established to ensure the consistent application of the Regulation
3.1.4. 1.4 Territorial Scope of the GDPR
3.1.4.1. 1.4.1 Controllers and processors with and without an establishment in the EU
3.1.4.1.1. Data protection requirements become less related to the physical location of the controller of the processor, and become more bound up with the individuals whose personal data are processed
3.1.4.1.2. 3 main cases the GDPR applies (Article 3)
3.1.4.1.3. The GDPR applies to the processing of the personal data of all data subjects who are physically in the Union (incl third-country visitors to the EU), as long as the processing activity concerned relates to offering goods or services, or monitoring behaviour.
3.1.4.2. 1.4.2 "Offering goods and services" and "monitoring behaviour"
3.1.4.2.1. "Offering goods and services"
3.1.4.2.2. "Monitoring behaviour"
3.1.4.3. 1.4.3 Controllers and processors in Liechtenstein, Iceland, Norway, Switzerland and th UK
3.1.4.3.1. Liechtenstein, Iceland and Norway
3.1.4.3.2. Switzerland
3.1.4.3.3. UK
3.2. 2. Processing Principles
3.2.1. 7 general processing principles (Article 5)
3.2.1.1. 1. Lawfullness, fairness, and transparancy
3.2.1.2. 2. Purpose limitation
3.2.1.3. 3. Data minimisation
3.2.1.4. 4. Accuracy
3.2.1.5. 5. Storage limitation
3.2.1.6. 6. Integrity and confidentiality
3.2.1.7. 7. Accountability
3.2.2. 2.1 Understanding the Seven Processing Principles
3.2.2.1. 2.1.1 Lawfullness, fairness, and transparancy p. 78
3.2.2.1.1. Lawfullness
3.2.2.1.2. Fairness
3.2.2.1.3. Transparancy
3.2.2.2. 2.1.2 Purpose limitation p. 80
3.2.2.2.1. Personal data
3.2.2.2.2. The controller must determine
3.2.2.2.3. Purpose is only legitimate if based on one of the lawful grounds set out under the principles of lawfulness
3.2.2.2.4. Purpose must be phrased in an explicit manner
3.2.2.2.5. Allows personal data processing only for the specific purpose(s) for which the data were collected
3.2.2.2.6. Processing for any other purpose than the ones for which the data were collected is prohibited
3.2.2.2.7. 3 main aspects to consider when assessing the compatibility of purposes
3.2.2.2.8. In case of incompatible purposes
3.2.2.3. 2.1.3 Data minimisation p. 82
3.2.2.3.1. Requires the controllers to limit the personal data collection to those personal data that are absolutely necessary to fulfil the specific, explicit and legitimate purpose of the processing
3.2.2.3.2. The personal data should be adequate, relevant and limited to what is necessary for the purpose for which they are processed
3.2.2.3.3. Personal data may only be processed if "the purpose of the processing could not reasonably be fulfilled by other means"
3.2.2.4. 2.1.4 Accuracy p. 83
3.2.2.4.1. Requires the controllers to take every reasonable steps to ensure that personal data that are "inaccurate", are erased or rectified
3.2.2.4.2. Personal data must be "accurate and, where necessary, kept up to data"
3.2.2.4.3. The "accuracy" of personal data depend on the specific purpose for which the data were collected
3.2.2.4.4. Strongly linked to data subject's right to request and obtain the rectification of their inaccurate personal data
3.2.2.5. 2.1.5 Storage limitation
3.2.2.5.1. Requires controllers
3.2.2.5.2. This principle follows from the principle of purpose limitation
3.2.2.5.3. "The period for which the personal data are stored is limited to a strict minimum"
3.2.2.5.4. Longer retention period allowed where the personal data are processed (Article 89 (1))
3.2.2.6. 2.1.6 Integrity and confidentiality
3.2.2.6.1. Requires controllers to ensure the security of the personal data against "unauthorised or unlawful processing against accidental loss, destruction or damage" by using "appropriate technical and organisational measures"
3.2.2.6.2. Regulations suggests that controllers and processors will be able to demonstrate adherence to the integrity and confidentiality principle by obtaining an approved certificate or implementing an approved code of conduct.
3.2.2.6.3. Importance of documenting every security measure the controller has taken
3.2.2.7. 2.1.7 Accountability
3.2.2.7.1. The controller is responsible for, and must be able to demonstrate compliance with, the data protection principles set out in Article 5
3.2.2.7.2. The controller must be able to evidence that
3.2.3. 2.2 Lawfulness: The Six Lawful Bases
3.2.3.1. 2.2.1 The data subject's consent
3.2.3.1.1. "the data subject has given consent to the processing [...] for one or more specific purposes"
3.2.3.1.2. Relying on the data subject's consent has complex implications as consent needs to meet struct requirements to be recognised as a valid ground for processing
3.2.3.1.3. Requirements
3.2.3.1.4. May only be used as a lawful basis if it can be ascertain that the data subjects who refuse consent have the same opportunities as those who provide consent
3.2.3.1.5. Four additional aspects controllers should consider before choosing consent as a lawful basis
3.2.3.1.6. Is often regarded as the least favourable lawful basis for personal data processing
3.2.3.2. 2.2.2 Contractual obligations and pre-contractual steps
3.2.3.2.1. "processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract"
3.2.3.2.2. Controller must carefully assess whether the personal data are truly necessary for the purpose of performing the contract or taking the pre-contractual steps
3.2.3.3. 2.2.3 Legal obligations of the controller
3.2.3.3.1. "processing is necessary for compliance with a legal obigation to which the controller is subject"
3.2.3.3.2. The controller must demonstrate that the processing is truly necessary to comply with the legal obligation concerned
3.2.3.4. 2.2.4 Vital interests of a natural person
3.2.3.4.1. "processing is necessary to protect the vital interest if the data subject or of another natural person"
3.2.3.4.2. Only applies to "matters of life and death"
3.2.3.5. The controller should first contemplate whether the processing is truly essential for the life of the natural person(s) concerned
3.2.3.6. 2.2.5 The controller acts in the public interest or is an official authority
3.2.3.6.1. "processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller"
3.2.3.6.2. Mostly relevant to public authorities, but it can apply to any organisation that exercises official authority or carries out tasks in the public interest
3.2.3.6.3. Can only be invoked if the
3.2.3.7. 2.2.6 Legitimate interests of the controller or a third party
3.2.3.7.1. "processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child"
3.2.3.7.2. "Legitimate interest" is primarily determined based on the relationship between the controller and the data subject and the data subject's reasonable expectations regarding the use of their personal data
3.2.3.7.3. The legitimate interest must be clearly identified
3.2.3.7.4. The controller must be able to demonstrate that the processing is necessary to achieve the legitimate interest
3.2.3.7.5. Every processing activity based on the controller's (or third party's) legitimate interest should be balanced against the data subject's interest, rights and freedoms, as those might override the cotnroller's interests
3.2.3.7.6. It is also possible that the controller's compelling legitimate interests override the interests, rights and freedoms of the data subjects
3.2.3.7.7. Profiling: the following aspects must be assessed
3.2.3.8. 2.2.7 Application of the principle of lawfulness
3.2.3.8.1. <uitwerken>
3.3. 3. Restrictions
3.3.1. 3.1 Restrictions Following form the Nature of the Personal Data
3.3.1.1. 3.1.1 Processing special categories of personal data (sensitive data)
3.3.1.1.1. Two categories of personal data under enhanced protection
3.3.1.1.2. 10 special catagory conditions (article 9 (2))
3.3.1.1.3. Additional consideratons
3.3.2. 3.2 Restrictions Following from the Nature of the Processing Activities
3.3.2.1. <nader uitwerken>
3.3.3. 3.3. Restrictions Following from the Data Subject's Rights
3.3.3.1. <nader uitwerken>
3.3.4. 3.4 Restrictions Following from the GDPR's Territorial Scop
3.3.4.1. <nader uitwerken>
3.4. 4. Obligations
3.4.1. 4.1 Obligation to facilitate the exercise of data subject rights
3.4.1.1. Article 12, 15-22
3.4.1.2. 4.1.1 Managing data subject requests
3.4.1.2.1. Controllers must ensure the appropriate management of data subject requests
3.4.1.2.2. The controller should place special emphasis on underpinning its decisions with valid arguments and demonstrating that all accepted requests have been met
3.4.1.2.3. Controllers are advised to register data subject requests
3.4.1.3. 4.1.2 The right to be informed and the Privacy Notice
3.4.1.3.1. Providing data subjects with sufficient information about the rules, safeguards and rights in relation to the processing of their personal data is an essential component of fair and transparent processing
3.4.1.3.2. Information to be provided under the right to be informed includes ...
3.4.1.3.3. If the personal data are obtained from the data subject, the data subject must be provided with the information outlined above ...
3.4.1.3.4. A good Privacy Notice satisfies the principle of fairness and transparency, which means that it is ...
3.4.2. 4.2 Obligation to ensure the security of processing
3.4.2.1. Article 24, 25, 32
3.4.2.2. 4.2.1 Appropriate technical and organisational measures
3.4.2.2.1. The principle of integrity and confidentiality requires controllers and processors to implement "appropriate technical and organisational measures" to protect personal data against ...
3.4.2.2.2. Guarantee the security of the processing includes safeguarding the ongoing ...
3.4.2.2.3. Controllers and processors are obliged to monitor their security measures and evaluate the measures' effectiveness
3.4.2.2.4. Technical measures
3.4.2.2.5. Organisational measures
3.4.2.2.6. Regulation only mentions two examples of "appropriate" security measures
3.4.2.2.7. Assessment of the measures should be based on the specific context of the processing, namely ...
3.4.2.2.8. The "appropriateness" of the measures is determined based on risk assessments (DPIA's)
3.4.2.2.9. DPIAs are specific types of risk assessment that aim to identify and evaluate the risks the processing entails for data subjects'rights and freedoms
3.4.2.2.10. The Regulation only requires the controller to demonstrate that the security measures are based on appropriate risk management processes, and that the measures provide sufficient protection to keep the risk at acceptable levels
3.4.2.3. 4.2.2 Data protection by design and by default
3.4.2.3.1. Two concepts not explained in the GDPR but are explicitly referenced in Article 25 and Recital 78
3.4.2.3.2. Data protection by design or "privacy by design"
3.4.2.3.3. Data protection by default
3.4.2.3.4. Relies on 7 fundamental principles to promote privacy assurance as "an organisation's default mode of operation"
3.4.2.3.5. Involves both organisational and technological components
3.4.2.3.6. For more guidance on security measures refer to
3.4.3. 4.3 Obligation to perform Data Protection Impact Assessments (DPIA)
3.4.3.1. Article 32
3.4.3.2. DPIAs are specific types or risk assessments that aim to identify and evaluate the risks the processing of personal data may pose for data subjects' rights and interests
3.4.3.3. Most important difference between a DPIA and traditional risk assessment:
3.4.3.3.1. during a DPIA
3.4.3.3.2. traditional risk assessments
3.4.3.4. DPIAs are an integral part of data protection by design
3.4.3.4.1. as they allow the integration of data protection aspects into a project or process at the earliest stage
3.4.3.5. DPIAs enhance the controller's ability to identify appropriate security measures and demonstrate the "appropriateness" of the security measures implemented by the controller
3.4.3.6. DPIAs are not mandatory for every processing activity
3.4.3.7. DPIA is mandatory if the processing is "likely to result in a high risk to the rights and freedoms of natural persons" Article 35
3.4.3.8. Three guideposts to determine whether the risk is "high"
3.4.3.8.1. That the likelihood and severity of the risk should be evaluated on the basis of an objective assessment Recital 76
3.4.3.8.2. A DPIA should be required when considerable amounts of data are processed and the processing affects a large number of data subjects Recital 91
3.4.3.8.3. Evaluation or scoring, profiling, automated decision-making, the large-scale processing of sensitive data and large-scale systematic monitoring are concrete examples of high risk Article 35
3.4.3.9. List of nine criteria to provide further clarification on the concept of "high risk" Article 29 Working Party
3.4.3.9.1. 1. Evaluation or scoring, including profiling and predicting
3.4.3.9.2. 2. Automated-decision making where the decision has a legal or similarly significant effect on the data subjects
3.4.3.9.3. 3. Systematic monitoring
3.4.3.9.4. 4. Processing sensitive data or data of highly personal nature
3.4.3.9.5. 5. Processing of personal data on a large scale
3.4.3.9.6. 6. Matching or combining datasets
3.4.3.9.7. 7. Data concerning vulnerable data subject
3.4.3.9.8. 8. Innovative use or application of new technological or organisational solutions
3.4.3.9.9. 9. The processing prevents data subjects from exercising a right or using a service or a contract
3.4.3.10. The more criteria are met by the processing, the more likely it is that the processing presents a high risk to the rights and freedoms of data subjects and therefor, the more likely it is that the processing requires a DPIA Article 29 Working Party
3.4.3.11. Certain processing activities may require a DPIA even if only one criterion applies
3.4.3.12. DPIA must contain the following information
3.4.3.12.1. 1. A description of the processing operations and their purposes
3.4.3.12.2. 2. A description of the lawful bases
3.4.3.12.3. 3. An assessment of the necessity and proportionality of the processing
3.4.3.12.4. 4. An assessment of the risks to the rights and freedoms of data subjects
3.4.3.12.5. 5. The measures (to be) taken to address the risks and ensure the protection of the personal data
3.4.3.12.6. 6. The measures (to be) taken to demonstrate compliance with the GDPR
3.4.3.13. The obligation to perform a DPIA does not necessarily mean that a new DPIA must be performed for every new processing activity.
3.4.3.13.1. Activities that use similar technologies and process the same sort of personal data for the same purposes, may use the results of the same DPIA
3.4.3.14. Although the performance of a DPIA is not always mandatory, controllers and processors should bear in mind that the appropriateness of their security measures is determined based on the risks entailed by the processing
3.4.3.14.1. Performing a DPIA may only be required for certain processing activities, but adopting a risk-based approach to personal data processing in general is mandatory at all times
3.4.4. 4.4 Obligation to consult with the supervisory authority
3.4.4.1. Article 36
3.4.4.2. Controllers are required to consult the supervisory authority prior to the processing if ... Article 36
3.4.4.2.1. the DPIA indicates that the processing would result in a high risk which the controller cannot mitigate by appropriate security measures
3.4.4.3. When consulting the supervisory authority, the controller is required to provide the supervisory authority with the following information
3.4.4.3.1. 1. Information about the respective responsibilities of the parties involved in the processing
3.4.4.3.2. 2. The purpose and means of the intended processing
3.4.4.3.3. 3. The security measures and safeguards
3.4.4.3.4. 4. The contact details of the Data Protection Officer
3.4.4.3.5. 5. The Data Protection Impact Assessment documentation
3.4.4.3.6. 6. Any other information requested by the supervisory authority
3.4.5. 4.5 Obligation to conclude binding arrangemements
3.4.5.1. Article 26-29
3.4.5.2. 4.5.1 Controller-processor agreements
3.4.5.2.1. To ensure their processors'compliance, controllers are required to make appropriate and binding legal arrangements with their processors
3.4.5.2.2. Requirements
3.4.5.3. 4.5.2 Other agreements
3.4.5.3.1. The GDPR also regulates relationships between joint controllers and controllers/processors and their representatives
3.4.5.3.2. Joint controllers must draw up an arrangement that duly reflects their respective roles in relation to the processing and their respective responsibilities for compliance with the GDPR
3.4.5.3.3. Representatives must be appointed by controllers and processors who are not established in the EU (EEA)
3.4.5.3.4. Representatives must have a mandate to represent the controller/processor in the EU (EEA) in respect of all issues relating to the processing, and they must have sufficient authorisation to act as a contact point for the supervisory authority and the data subjects
3.4.5.3.5. For controllers or processors whose data subjects are in more than one Member State, it is enough to appoint a representative in one of those Member States
3.4.6. 4.6 Obligation to create and maintain registers
3.4.6.1. Article 30
3.4.6.2. 4.6.1 Records of processing activities
3.4.6.2.1. Both the controller and the processor (or their representative) are required to draw up and maintain written records of their processing activities
3.4.6.2.2. Organisations that employ fewer than 250 persons are exempt from this obligation provided that they only process personal data occasionally and the processing is not likely to result in a risk to the rights and freedoms of data subjects
3.4.6.2.3. If sensitive data or data related to criminal offences and convictions are processed, the register is mandatory
3.4.6.2.4. Records must contain at least
3.4.6.2.5. All records must be kept in an electronic form and disclosed to the supervisory authority on request
3.4.6.2.6. Records of processing activities must be maintained and kept up to date
3.4.6.2.7. As the records must be disclosed to the supervisory authority on request and the DPO's mandatory tasks under the GDPR include communicating with the supervisory authority, the DPO is usually given ownership of the records
3.4.6.3. 4.6.2 Data breach registers
3.4.6.3.1. The controller must document all data breaches that relate to the personal data processed by the controller
3.4.6.3.2. Data breach records also enable the controller to draw lessons from a breach and answer eventual questions raised by data subjects
3.4.7. 4.7 Obligation to designate a Data Protection Officer
3.4.7.1. Article 37-39
3.4.7.2. Obliged if
3.4.7.2.1. 1. The controller or processor is a public authority or body
3.4.7.2.2. 2. The controller's or processor's core activities consist of processing operations which require the regular and systematic monitoring of data subjects on a large scale
3.4.7.2.3. 3. The controller's or processor's core activities consist of processing on a large scale of special categories of data (sensitive data) or personal data relating to criminal convictions and offences
3.4.7.3. Obligation to appoint a DPO is independent of the size of the controller's or processor's organisation
3.4.7.4. Organisations that do not fall within the scope of the obligation to designate a DPO, may voluntarily appoint a DPO to provide the organisation with useful advise on data protection
3.4.7.4.1. in particular, on ...
3.4.7.4.2. and act as the contact point for data subjects and the supervisory authority
3.4.7.5. The DPO's help is inappreciable when it comes to drawing up privacy policies, monitoring what data the organisation can process on what ground, creating data subject rights management schemes, monitoring the developments in supervisory authorities and national law, and ensuring that employee are aware of their data protection obligations
3.4.7.6. DPOs may be full-time or part-time staff members of the controller or the processor, or external organisations or individuals
3.4.7.7. Regardless of whether the DPO is internal or external, controllers and processors should bear in mind that the GDPR requires them to provide their DPO with all the necessary resources (mandate, information an budget) to perform their data protection tasks and to maintain their expert knowledge
3.4.7.8. Controllers and processors should be aware that the DPO is not personally responsible for GDPR-compliance
3.4.8. Obligation to communicate with a data subject and the supervisory authority in the event of a data breach
3.4.8.1. Article 33, 34, 36
3.4.8.2. See Chapter 5 Communication
3.5. 5. Communication
3.5.1. 5.1 Data breach in the Context of the GDPR
3.5.1.1. "Data breach": a breach of security leading to the accidental or unlawful ... (article 4 (12))
3.5.1.1.1. destruction
3.5.1.1.2. loss
3.5.1.1.3. alteration
3.5.1.1.4. unauthorised disclosure of, or access to
3.5.1.2. Three well-known security principles
3.5.1.2.1. Confidentiality
3.5.1.2.2. Integrity
3.5.1.2.3. Availability
3.5.2. 5.2 Obligation to Notify a Personal Data Breach to the Supervisory Authority
3.5.2.1. Controllers are required to notify a breach to the competent supervisory authority (article 33)
3.5.2.1.1. unless
3.5.2.2. Several adverse effects a breach can potentially have on individuals (recital 85)
3.5.2.2.1. limitation if data subjects' rights
3.5.2.2.2. discrimination
3.5.2.2.3. identity theft or fraud
3.5.2.2.4. financial loss
3.5.2.2.5. unauthorised reversal of pseudonimisation
3.5.2.2.6. reputational damage
3.5.2.2.7. loss of confidentiality of personal data protected by professional secrecy
3.5.2.2.8. any other significant economic or social disadvantage
3.5.2.3. To determine whether a breach is "likely or unlikely to result in a risk", the controller should consider ...
3.5.2.3.1. the specific context of the processing
3.5.2.3.2. the type of the breach
3.5.2.3.3. security measures taken by the controller before the breach occured
3.5.2.4. If the controller cannot demonstrate that the breach is unlikely to result in a risk to the rights and freedoms of data subjects (article 33)
3.5.2.4.1. the controller must notify the supervisory authority without undue delay and where feasible, not later than 72 hours after having become aware of the breach
3.5.2.5. A threat or vulnerability that might lead to a security breach is not (yet) a data breach)
3.5.2.5.1. and thus does not need to be notified to the supervisory authority
3.5.2.6. In line with its obligation to ensure the security of processing, the controller should develop internal processes to be able to detect and address eventual breaches
3.5.2.6.1. Technical solutions
3.5.2.6.2. Organisational measures
3.5.2.6.3. These can be addressed in the controller's ...
3.5.2.7. <aanvullen>
3.5.3. 5.3 Obligation to Inform the Data Subject About a Data Breach
3.6. 6. Accountability
3.6.1. The means by which the controller can demonstrate compliance with the GDPR, and presents a brief overview of the consequences of non-compliance
3.6.2. 6.1 Measures to Comply with the Accountability Principles
3.6.2.1. 6.1.1 Essential organisational measures
3.6.2.2. 6.1.2 Documentation
3.6.2.3. 6.1.3 Approved codes of conduct
3.6.2.4. 6.1.4 Approved certifications, seals and marks
3.6.2.5. 6.1.5 Audits and tests
3.6.2.6. 6.1.6 Standards
3.6.2.7. The GDPR obliges controllers to demonstrate .....
3.6.3. 6.2 Consequences of Non-Compliance